The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. In addition, the appliance certificates installed on some Symantec appliances include an intermediate CA certificate which expires in November 2021.
If these certificates are not updated on the appliance, some features that use the appliance certificate for authentication will fail.
Warning: To ensure the uninterrupted operation of your SSL Visibility appliances, you must make it a priority to complete both of the following updates as soon as possible:
Upgrade to SSL Visibility 184.108.40.206 (released May 10, 2021) or later versions to update to the new ABRCA root CA
Update your license on each appliance to update the appliance certificate's intermediate CA
Note: Ensure that the appliance can access the domain *.es.bluecoat.com to download the SSLV appliance license.
To update the ABRCA root CA certificate on your SSL Visibility appliance, upgrade to version 220.127.116.11 or later versions.
Note: 18.104.22.168 and later are the preferred versions to upgrade to as they contain additional fixes for issues pertaining to the ABRCA root certificate update.
For steps on migrating appliances from 3.x to 4.x, see download the SSL Visibility 4.x Release Notes from the software download center and see the "Upgrading the SSL Visibility Appliance" section.
To update your license:
If the appliance is in a closed environment, do the following steps to update the license in a closed environment:
To validate that your license is up to date, navigate to (Platform Management) > License and ensure the License Status has a Current Status of OK.
Additionally, to ensure your license is automatically updated in the future, enable the Auto Update License feature:
To validate the certificate expiration date:
From the PKI menu, open Management Trust.
Select the bluecoat-appliance CA list.
Select the ABRCA_root certificate.
Click on the information icon and confirm the Valid To date.
The new certificate has an expiration date Dec 31, 2037.
If you have enabled the SSLV Offload feature on the appliance, reboot the appliance after completing all other steps in this article. After the reboot, the feature will function again.
If the certificate expires, the following issues will occur:
License verification failures, resulting in traffic interruption
Failures in offloading from SSL Visibility to ProxySG appliances
Failures when installing new licenses
Inability to perform heartbeat uploads
Other issues, yet to be identified, might also occur.
If the ABRCA root certificate expires before it is updated, you can recover the appliance by performing the same steps you would have used to replace the ABRCA root certificate before it expired. To recover the appliance, perform the steps in the Requirement section of this article.
IMPORTANT: Customers who received an RMA appliance that shipped with 3.12 after November 2021 and need to upgrade to 4.x, ensure you use the correct migration path to upgrade to 4.5.6.x or later and then upgrade your license. For migration steps, see "Upgrading the SSL Visibility Appliance" in the SSL 4.x Visibility Release Notes. You can download the release notes from the software download center.