search cancel

Update the ABRCA Root CA Certificate for the SSL Visibility Appliance (Revised: November 19, 2021)

book

Article ID: 207140

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. In addition, the appliance certificates installed on some Symantec appliances include an intermediate CA certificate which expires in November 2021.

If these certificates are not updated on the appliance, some features that use the appliance certificate for authentication will fail.

Warning: To ensure the uninterrupted operation of your SSL Visibility appliances, you must make it a priority to complete both of the following updates as soon as possible:

  • Upgrade to SSL Visibility 4.5.6.1 (released May 10, 2021) or later versions to update to the new ABRCA root CA 

  • Update your license on each appliance to update the appliance certificate's intermediate CA

Resolution

Requirements

Note: Ensure that the appliance can access the domain *.es.bluecoat.com to download the SSLV appliance license.

Upgrade to SSL Visibility 4.5.6.1 and Later

To update the ABRCA root CA certificate on your SSL Visibility appliance, upgrade to version 4.5.6.1 or later versions.

Note: 4.5.7.1 and later are the preferred versions to upgrade to as they contain additional fixes for issues pertaining to the ABRCA root certificate update.

For steps on migrating appliances from 3.x to 4.x, see download the SSL Visibility 4.x Release Notes from the software download center and see the "Upgrading the SSL Visibility Appliance" section.

Update the License

To update your license:

  1. Navigate to (Platform Management) > License.
  2. Click Add.
  3. On the BTO Install tab, enter your BTO User ID and password.
  4. Click Add.

If the appliance is in a closed environment, do the following steps to update the license in a closed environment:

  1. Generate the license key from the Broadcom Support Portal following the instructions for Symantec products KB145804. Specify a passphrase before generating the license key to ensure that the license includes appliance certificate information.
  2. Navigate to (Platform Management) > License.
  3. Click Add.
  4. On the Upload File tab, click Browse to browse to the file location, or on the Paste Text tab, paste the license text.
  5. Click Add.

To validate that your license is up to date, navigate to (Platform Management) > License and ensure the License Status has a Current Status of OK.

Additionally, to ensure your license is automatically updated in the future, enable the Auto Update License feature:

  1. Navigate to (Platform Management) > License.
  2. On the License Settings panel, click Edit and enable the feature.

To validate the certificate expiration date:

  1. From the PKI menu, open Management Trust.

  2. Select the bluecoat-appliance CA list.

  3. Select the ABRCA_root certificate.  

  4. Click on the information icon and confirm the Valid To date.
    The new certificate has an expiration date Dec 31, 2037.

Reboot SSLV-Offload Enabled Appliances

If you have enabled the SSLV Offload feature on the appliance, reboot the appliance after completing all other steps in this article. After the reboot, the feature will function again.

Consequences of an Expired Appliance Certificate

If the certificate expires, the following issues will occur:

  • License verification failures, resulting in traffic interruption

  • Failures in offloading from SSL Visibility to ProxySG appliances

  • Failures when installing new licenses

  • Inability to perform heartbeat uploads

Other issues, yet to be identified, might also occur.

Recovering the Appliance After the Certificate Expiration Date

If the ABRCA root certificate expires before it is updated, you can recover the appliance by performing the same steps you would have used to replace the ABRCA root certificate before it expired. To recover the appliance, perform the steps in the Requirement section of this article.

IMPORTANT: Customers who received an RMA appliance that shipped with 3.12 after November 2021 and need to upgrade to 4.x, ensure you use the correct migration path to upgrade to 4.5.6.x or later and then upgrade your license. For migration steps, see "Upgrading the SSL Visibility Appliance" in the SSL 4.x Visibility Release Notes. You can download the release notes from the software download center.