search cancel

Update the ABRCA Root CA Certificate on Reporter Appliances (Revised: November 02, 2021)

book

Article ID: 207141

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of December 31, 2037.

When the root certificate expires, some features that use the appliance certificate for authentication will fail. See the end of this article for additional details.

Resolution

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient for all products. Reporter requires a software upgrade to do proper certificate validation during subscription downloads. 

You must upgrade Reporter to the 10.6.2.1 release (or later), which includes the new ABRCA root CA certificate. You must then verify that the trust package and appliance certificate were updated properly.

The continued operation of your Reporter appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021 to allow for adequate testing and troubleshooting before the certificate expires.

Upgrade Reporter to a Release that Contains the Updated ABRCA Root CA Certificate

The following Reporter releases include the updated ABRCA root CA certificate..

IMPORTANT: Before upgrading, refer to the release notes for the software version you are upgrading to. The release notes include upgrade path requirements and other important information. Download the software package and release notes from the Broadcom download portal.

For information about downloading Symantec software, refer to this article.

Release Release Date Upgrade Instructions
Reporter 11.0.1.1 October 13 2021 Procedure
Reporter 10.6.2.1 April 21, 2021 Procedure

  

Update the Appliance Certificate 

Refer to the appropriate instructions to update the appliance certificate:

 

Update the Hardware Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a hardware appliance, log into the Reporter CLI and enter the following command:

# request-appliance-certificate
ok

Update the Virtual Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a virtual appliance (VA), log into the Reporter CLI and enter the following command:

# licensing load username <username> password <password>
ok

where <username> and <password> are your Broadcom licensing portal credentials.

If the appliance is in a closed environment, see the next section.

Update the Virtual Appliance Certificate in a Closed Environment

In a closed environment, you must manually download the license file and host it on a file server that the appliance can access, or install it inline. 

To update the virtual appliance certificate in a closed environment:

  1. Generate the license key from the Broadcom Support Portal following the instructions for Symantec products in KB145804. Specify a passphrase before generating the license key to ensure that the license includes appliance certificate information.
  2. Download the license key and put it on a file server the appliance can access.
  3. Install the license via the CLI using one of the following methods:

Install from file server


# licensing load url <url> passphrase <passphrase>

where <url> is the location of the file and <passphrase> is the passphrase you specified on the Support Portal.

 

Install inline


Open the license file and copy its contents. Paste the contents using the following command.

# licensing inline license-key passphrase <passphrase>

where <passphrase> is the passphrase you specified on the Support Portal.

 

Verify that the Appliance Birth Certificate Has Been Updated

Enter the following command:

reporter# ssl view keyring bluecoat-appliance
Keyring ID:                 bluecoat-appliance
Private key showability:    show
Signing request:            absent
Certificate:                present
Certificate subject:        C=US,ST=California,O=Blue Coat Systems, Inc.,OU=Blue Coat SGVA Series,CN=1001484462
Certificate issuer:         C=US,ST=California,L=San Jose,O=Broadcom Inc.,OU=ABRCA,CN=Virtual Appliance Birth Certificate Intermediate CA
Certificate valid from:     Oct 07 11:12:38 2021 GMT
Certificate valid to:       Oct 08 06:12:38 2026 GMT
Certificate thumbprint:     F1:78:7A:CF:CC:40:C2:74:06:A0:52:63:64:E7:9C:8B:E0:04:E5:A5

In the command output, look for the "Certificate issuer" line. If the upgrade was successful, the "CN="  value is "Virtual Appliance Birth Certificate Intermediate CA."

Verify that the Trust Package Update was Successful

To verify that the update was successful, enter the following command:

ssl# trust-package view
Trust package download completed. No update required

You can also view the individual certificate. The certificate should have a Valid Until date of Dec 31 2037:

ssl# view ca-certificate ABRCA_root

Name:           ABRCA_root

Issuer:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Sep 11 12:04:16 2020 GMT

Valid Until:    Dec 31 12:04:16 2037 GMT

Fingerprint:
B9:95:41:1D:7F:D5:0B:2C:45:C0:D9:76:59:58:76:70:3F:7F:81:59

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Reporter appliances before the root CA expires in December 2021, your appliances might experience failures as described in "Consequences of an Expired Appliance Certificate." The steps to renew the certificate are identical, whether you renew the root CA before, or after, the certificate expires. To renew the certificate, follow the steps in this article to upgrade to a new build that contains the updated trust package.

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services will not work on virtual appliances:
    • Failures for more than 7 days will disable the license

Other issues, yet to be identified, might also occur. 

Additional Information