The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
A future release of Content Analysis will have the ability to automatically update the ABRCA root CA certificate. When the release is available, you can refer to the Content Analysis Release Notes for upgrade instructions.
In the interim, you should follow the instructions in this article to update the root CA certificate on your Content Analysis hardware or virtual appliance using the command line interface (CLI). You can update the certificate on the appliance without making any other configuration changes.
Warning: The continued operation of your Content Analysis appliances requires that you replace the expiring trusted root CA certificate with a new certificate on each appliance.
To ensure the uninterrupted operation of your Content Analysis appliances, perform the following updates immediately; if this is not possible, make it a priority to complete the updates by the specified dates below. Otherwise, your appliances will experience the failures listed above and possibly other critical issues.
Appliance or application |
Required updates |
Update by |
Instructions |
Hardware platforms |
Update the appliance certificate and the ABRCA root CA certificate |
December 18, 2021 |
See Update the Hardware Appliance Certificate below. To update the root CA certificate, install the latest trust package. See Update the Trust Package below. |
Virtual appliances |
Update the appliance certificate and the ABRCA root CA certificate |
November 15, 2021 |
To update the license file, install the latest appliance certificate. See Update the Virtual Appliance Certificate below. To update the root CA certificate, install the latest trust package. See Update the Trust Package below. |
Note: To update Content Analysis applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.
Requirements
Ensure that the appliance can access the following domains:
abrca.bluecoat.com - for appliance certificate download
appliance.bluecoat.com - for trust package downloads
To update the appliance certificate on a hardware appliance, log into the Content Analysis CLI and enter the following command:
CAS# request-appliance-certificate
ok
Alternatively, download the license through the web console:
In the web console, select System > Licensing.
Under Symantec License Download, select Download License from Symantec. The console starts the download and provides a success message when complete.
To update the appliance certificate on a virtual appliance, log into the Content Analysis CLI and enter the following command:
CAS(config)# licensing load username <username> password <password>
ok
where username and password are your myBroadcom licensing portal credentials.
Alternatively, download the license through the web console:
In the web console, select System > Licensing.
Under Symantec License Download, select Download License from Symantec. The console starts the download and provides a success message when complete.
Because Content Analysis automatically downloads the latest trust package every seven days, your appliances should have the latest trust package unless they were unable to connect to the internet or had other issues that might have prevented a successful automatic download. If this was the case, resolve the issue and ensure continued connectivity for at least seven days.
If you want to ensure you have the latest trust package on a new installation, you can initiate a download of the latest trust package manually in version 3.1.x.
(Version 3.1.x) To download the latest trust package:
CAS# ssl trust-package download-now
Trust package download/update started
(Version 3.1.x) To verify that the update was successful:
CAS# ssl trust-package view
Trust package download completed. No update required
If the appliance is in a closed environment, you must do one of the following to update the trust package:
Add a firewall exception for appliance.bluecoat.com and run the CLI commands in Update the Trust Package again.
If the trust package cannot be updated, you must upgrade Content Analysis. Upcoming versions will include the updated trust package. Monitor this KB article for updates and refer to upcoming Content Analysis Release Notes to determine which versions have the fix.
If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:
Other issues, yet to be identified, might also occur.