Update the ABRCA Root CA Certificate for the Content Analysis Appliance

book

Article ID: 207138

calendar_today

Updated On:

Products

Content Analysis Software Content Analysis Software - CA

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT. 

A future release of Content Analysis will have the ability to automatically update the ABRCA root CA certificate. When the release is available, you can refer to the Content Analysis Release Notes for upgrade instructions. 

In the interim, you should follow the instructions in this article to update the root CA certificate on your Content Analysis hardware or virtual appliance using the command line interface (CLI).  You can update the certificate on the appliance without making any other configuration changes.

Warning: The continued operation of your Content Analysis appliances requires that you replace the expiring trusted root CA certificate with a new certificate on each appliance.

Resolution

To ensure the uninterrupted operation of your Content Analysis appliances, perform the following updates immediately; if this is not possible, make it a priority to complete the updates by the specified dates below. Otherwise, your appliances will experience the failures listed above and possibly other critical issues.

Appliance or application

Required updates

Update by

Instructions

Hardware platforms

Update the appliance certificate and the  ABRCA root CA certificate

December 18, 2021

See Update the Hardware Appliance Certificate below.


To update the root CA certificate, install the latest trust package. See Update the Trust Package below.

Virtual appliances

Update the appliance certificate and the  ABRCA root CA certificate

November 15, 2021

To update the license file, install the latest appliance certificate. See Update the Virtual Appliance Certificate below.


To update the root CA certificate, install the latest trust package. See Update the Trust Package below.

 

Note: To update Content Analysis applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.

Requirements

Ensure that the appliance can access the following domains:

 

Update the Hardware Appliance Certificate

To update the appliance certificate on a hardware appliance, log into the Content Analysis CLI and enter the following command:

CAS# request-appliance-certificate
ok

Alternatively, download the license through the web console:

  1. In the web console, select System > Licensing.

  2. Under Symantec License Download, select Download License from Symantec. The console starts the download and provides a success message when complete.

 

Update the Virtual Appliance Certificate

To update the appliance certificate on a virtual appliance, log into the Content Analysis CLI and enter the following command:

CAS(config)# licensing load username <username> password <password>
ok

where username and password are your myBroadcom licensing portal credentials.

Alternatively, download the license through the web console:

  1. In the web console, select System > Licensing.

  2. Under Symantec License Download, select Download License from Symantec. The console starts the download and provides a success message when complete.

Update the Trust Package

Because Content Analysis automatically downloads the latest trust package every seven days, your appliances should have the latest trust package unless they were unable to connect to the internet or had other issues that might have prevented a successful automatic download. If this was the case, resolve the issue and ensure continued connectivity for at least seven days.

If you want to ensure you have the latest trust package on a new installation, you can initiate a download of the latest trust package manually in version 3.1.x. 

(Version 3.1.x) To download the latest trust package: 

CAS# ssl trust-package download-now

Trust package download/update started

(Version 3.1.x) To verify that the update was successful:

CAS# ssl trust-package view 

Trust package download completed. No update required

 

Update the Trust Package in a Closed Environment

If the appliance is in a  closed environment, you must do one of the following to update the trust package:

  • Add a firewall exception for appliance.bluecoat.com and run the CLI commands in Update the Trust Package again.

  • If the trust package cannot be updated, you must upgrade Content Analysis. Upcoming versions will include the updated trust package. Monitor this KB article for updates and refer to upcoming  Content Analysis Release Notes to determine which versions have the fix.

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Appliance certificate update
  • Licensing automatic update
  • Subscription updates
  • Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur.