Update the ABRCA Root CA Certificate on Reporter Appliances

book

Article ID: 207141

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root certificate expires, some features that use the appliance certificate for authentication will fail.

Resolution

To ensure the uninterrupted operation of your Reporter appliances, you must replace the expiring ABRCA root CA certificate with a new certificate on each appliance immediately; if this is not possible, make it a priority to complete the updates by the following dates:

  • Reporter hardware appliances: December 18, 2021

  • Reporter virtual appliances: November 15, 2021

A future Reporter software release will have the ability to automatically update the ABRCA root CA certificate. When the release is available, you can refer to the Release Notes for upgrade instructions. In the interim, you can follow the instructions in this article to update the root CA certificate on your Reporter hardware or virtual appliance using the command line interface (CLI). 

You can update the certificate on the appliance without making any other configuration changes.

Note:

Manually Update the Reporter ABRCA Root Certificate on a Physical Appliance

Log into the Reporter CLI and enter the following commands:

# enable
# configure terminal
(config)# ssl
(config-ssl)# trust-package url
(config-ssl)# trust-package download-now

Manually Update the Reporter ABRCA Root Certificate on a Virtual Appliance

Log into the Reporter CLI and enter the following commands:

# enable
# licensing load [username <value>] [password <value>]

Verify that the Update was Successful

To verify that the update was successful, enter the following command:

(config-ssl)# trust-package view
Trust package download completed. No update required

You can also view the individual certificates:

(config-ssl)# view ca-certificate ABRCA_root

Name:           ABRCA_root

Issuer:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Dec 19 05:40:48 2006 GMT

Valid Until:    Dec 18 05:40:48 2021 GMT

Fingerprint:

AE:4D:E4:18:6D:A5:06:C7:16:AA:A4:39:3F:4D:2E:68:B7:51:97:49 

(config-ssl)# view ca-certificate BC_Cloud_Services_Root_CA

Name:           BC_Cloud_Services_Root_CA

Issuer:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Subject:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Valid From:     Sep 06 12:00:00 2011 GMT

Valid Until:    Sep 05 11:59:59 2036 GMT

Fingerprint:

2B:4E:AF:4C:71:F5:F2:7F:BD:8F:0F:B5:5C:73:AB:C3:9F:15:14:7E

 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services will not work on virtual appliances:
    • Failures for more than 7 days will disable the license

Other issues, yet to be identified, might also occur.