Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: September 7, 2021)

book

Article ID: 207138

calendar_today

Updated On:

Products

Content Analysis Software

Issue/Introduction

Note: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Content Analysis requires a software upgrade to do proper certificate validation during subscription downloads.

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of December 31, 2037. 

The continued operation of your Content Analysis appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update as soon as possible to allow for adequate testing and troubleshooting before the certificate expires.

IMPORTANT: Plan to update your Content Analysis appliances as soon as possible to allow time for testing and troubleshooting. If you fail to update the appliances in a timely manner, they might experience failures as described in "Consequences of an Expired Appliance Certificate" below. In this case, upgrade to a supported Content Analysis release by November 2021 and update the appliance certificate as described in the following Resolution.

Note: To update Content Analysis applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.

 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Appliance certificate update
  • Licensing automatic update
  • Subscription updates
  • Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur. To prevent these issues from occurring, perform the applicable steps described below as soon as possible.

 

What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Content Analysis appliances before the root CA expires in December 2021, the appliances might experience failures as described above. To renew the certificate, follow the steps described in the Resolution section below.

Resolution

Upgrade Content Analysis

Upgrade to a supported Content Analysis release.

Release Release Date

Content Analysis 2.4.2.1

Note: Content Analysis 2.4.2.0 was previously released with the updated ABRCA root CA certificate. Version 2.4.2.0 is no longer available and is superseded by version 2.4.2.1. If you are currently running Content Analysis 2.4.2.0 or any earlier release, please upgrade to version 2.4.2.1.

June 11, 2021

Content Analysis 3.1.2.4

Note: Content Analysis 3.1.2.2 was previously released with the updated ABRCA root CA certificate. For a better experience, please upgrade to version 3.1.2.4 instead.

July 1, 2021

IMPORTANT: All Content Analysis appliances must be updated to this version. Any previous versions will not be supported after November 2021.

Monitor this KB article for any updates. For upgrade instructions, refer to KB169313. You can download the software package from the Broadcom download portal.

 

Update the Hardware Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a hardware appliance, log into the Content Analysis command line interface (CLI) and enter the following command:

CAS# request-appliance-certificate
ok

 

Update the Virtual Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a virtual appliance, log into the Content Analysis CLI and enter the following command:

CAS(config)# licensing load username <username> password <password>
ok

where username and password are your myBroadcom licensing portal credentials.