Update the ABRCA Root CA Certificate on Reporter Appliances (Revised: April 26, 2021)

book

Article ID: 207141

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of December 31, 2037.

When the root certificate expires, some features that use the appliance certificate for authentication will fail. See the end of this article for additional details.

Resolution

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient for all products. Reporter requires a software upgrade to do proper certificate validation during subscription downloads. 

You must upgrade Reporter to the 10.6.2.1 release (or later), which includes the new ABRCA root CA certificate. You must then verify that the trust package and appliance certificate were updated properly.

The continued operation of your Reporter appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.

Available Releases

The following Reporter release includes the updated ABRCA root CA certificate.

Release Anticipated GA
Reporter 10.6.2.1 Released on April 21, 2021

Monitor this KB article for any updates to this release schedule. For upgrade instructions, refer to the Reporter release notes for your version. You can download the software package and release notes (when they are released) from the Broadcom download portal.    

Manually Update the Appliance Certificate– (Optional, Unless the Appliance Certificate Did Not Update)

You can update the appliance certificate (by updating the license) before, or after, upgrading to Reporter 10.6.2.1.    

  1. Log on to the CLI.
  2. Enter privileged mode from standard mode by using the enable command. The prompt changes from a > to a #, indicating that you are in privileged mode.
  3. At the # command prompt, enter the following command to either retrieve or paste the license into the CLI to install manually:
 (config)# licensing load (Retrieves the license from Broadcom)
 (config)# licensing inline eof <cr> <license text> eof

Verify That the Appliance Certificate Update was Successful

# licensing view
Appliance Serial Number  : 1000413203
Model                    : RP-V50
Date Generated           : 2021-03-03

Verify that the Trust Package Update was Successful

To verify that the update was successful, enter the following command:

(config-ssl)# trust-package view
Trust package download completed. No update required

You can also view the individual certificates:

(config-ssl)# view ca-certificate ABRCA_root

Name:           ABRCA_root

Issuer:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Sep 11 12:04:16 2020 GMT

Valid Until:    Dec 31 12:04:16 2037 GMT

Fingerprint:

AE:4D:E4:18:6D:A5:06:C7:16:AA:A4:39:3F:4D:2E:68:B7:51:97:49 

(config-ssl)# view ca-certificate BC_Cloud_Services_Root_CA

Name:           BC_Cloud_Services_Root_CA

Issuer:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Subject:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Valid From:     Sep 06 12:00:00 2011 GMT

Valid Until:    Sep 05 11:59:59 2036 GMT

Fingerprint:

2B:4E:AF:4C:71:F5:F2:7F:BD:8F:0F:B5:5C:73:AB:C3:9F:15:14:7E

 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services will not work on virtual appliances:
    • Failures for more than 7 days will disable the license

Other issues, yet to be identified, might also occur.