Update the ABRCA Root CA Certificate for the SSL Visibility Appliance (Revised: May 18, 2021)

book

Article ID: 207140

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in November 2021. If the ABRCA root CA certificate is not updated on the appliance, some features that use the appliance certificate for authentication will fail.

Warning: To ensure the uninterrupted operation of your SSL Visibility appliances, you must make it a priority to complete the updates by the following dates:

  • Upgrade to SSL Visibility 4.5.6.1 (released May 10, 2021) by October 31, 2021 

  • Update your license on each appliance by October 31, 2021

Resolution

Requirements

Note: Ensure that the appliance can access the domain *.es.bluecoat.com to download the SSLV appliance license.

To update the ABRCA root CA certificate on your SSL Visibility appliance, upgrade to version 4.5.6.1 (for steps on migrating appliances from 3.x to 4.x, see download the SSL Visibility 4.x Release Notes from the software download center and see the "Upgrading the SSL Visibility Appliance" section) and then upgrade your license by doing one of the following:

  • Automatically update the license by enabling the Auto Update License feature:

    1.  Navigate to (Platform Management) > License.

    2. On the License Settings panel, click Edit and enable the feature.

  • Manually update the license:

    1. Download a new copy of the license.

    2. Navigate to (Platform Management) > License.

    3. Click Add.

    4. On the Upload File tab, click Browse to browse to the file location, or on the Paste Text tab, paste the license text.

 

To validate that your license is up to date, navigate to (Platform Management) > License and ensure the License Status has a Current Status of OK.

To validate the certificate expiration date:

  1. From the PKI menu, open Management Trust.

  2. Select the bluecoat-appliance CA list.

  3. Select the ABRCA_root certificate.  

  4. Click on the information icon and confirm the Valid To date.
    The new certificate has an expiration date Dec 31, 2037.

Consequences of an Expired Certificate

If the certificate expires, the following issues will occur:

  • License verification failures, resulting in traffic interruption

  • Failures in offloading from SSL Visibility to ProxySG appliances

  • Failures when installing new licenses and upgrading

  • Inability to perform heartbeat uploads

Other issues, yet to be identified, might also occur.

Recovering the Appliance After the Certificate Expiration Date

If the ABRCA root certificate expires before it is updated, you can recover the appliance by performing the same steps you would have used to replace the ABRCA root certificate before it expired. To recover the appliance, perform the steps in the Requirement section of this article.

IMPORTANT: Customers who received an RMA appliance that shipped with 3.12 after November 2021 and need to upgrade to 4.x, ensure you use the correct migration path to upgrade to 4.5.6.x or later and then upgrade your license. For migration steps, see "Upgrading the SSL Visibility Appliance" in the SSL 4.x Visibility Release Notes. You can download the release notes from the software download center.