Update the ABRCA Root CA Certificate on Management Center Appliances (Revised: September 16, 2021)

book

Article ID: 207144

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail. See the end of this article for additional details. 

Note: For instructions on updating Content Analysis, see Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: July 7, 2021)

Resolution

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient for all products. Management Center requires a software upgrade to do proper certificate validation during subscription downloads.

If you are running Management Center 3.x, you must do the following:

  • Upgrade Management Center to MC 3.1.3.1 (or later). MC 3.1.3.1 (and later) includes the new ABRCA root CA certificate.
  • Verify that the trust package and appliance certificate were updated properly.

If you are running Management Center 2.4, you must do the following:

  • Upgrade Management Center to MC 2.4.3.1 (or later). MC 2.4.3.1 (and later) includes the new ABRCA root CA certificate.
  • Manually update the appliance certificate. The appliance certificate does not automatically update itself in MC 2.4.3.1. You can update the appliance certificate before, or after, upgrading to MC 2.4.3.1.
  • Verify that the trust package and appliance certificate were updated properly.

The continued operation of your Management Center appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021 to allow for adequate testing and troubleshooting before the certificate expires.

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Management Center appliances before the root CA expires in December 2021, your appliances might experience failures as described in "Consequences of an Expired Appliance Certificate." The steps to renew the certificate are identical, whether you renew the root CA before, or after, the certificate expires. To renew the certificate, follow the steps in this article to upgrade to a new build that contains the updated trust package.

Available Releases

The following Management Center releases include the updated ABRCA root CA certificate.

Release Anticipated GA
MC 3.2.1.1 August 09, 2021
MC 3.1.3.1 March 18, 2021
MC 2.4.3.1 August 20, 2021

Monitor this KB article for any updates to this release schedule. For software upgrade instructions, refer to the Management Center release notes for your version. You can download the software package and release notes (when they are released) from the Broadcom download portal.

Manually Update the Appliance Certificate–Only required for Management Center 2.4.x

You can update the appliance certificate (by updating the license) before, or after, upgrading to MC 2.4.3.1.    

  1. Log on to the CLI.
  2. Enter privileged mode from standard mode by using the enable command. The prompt changes from a > to a #, indicating that you are in privileged mode.
  3. At the # command prompt, enter one of the following commands to either retrieve or paste the license into the CLI to install manually:
    (config)# licensing load (Retrieves the license from Broadcom)
    (config)# licensing inline eof <cr> <license text> eof


Verify That the Appliance Certificate Update was Successful–All Upgrade Paths

# licensing view
Appliance Serial Number  : 1000413203
Model                    : MC-V10
Date Generated           : 2021-03-03

Verify that the Update was Successful–All Upgrade Paths

To verify that the update was successful, enter the following command:

(config-ssl)# trust-package view
Trust package download completed. No update required

You can also view the individual certificates:

(config-ssl)# view ca-certificate ABRCA_root
Name:           ABRCA_root
Issuer:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Sep 11 12:04:16 2020 GMT
Valid Until:    Dec 31 12:04:16 2037 GMT
Fingerprint:
B9:95:41:1D:7F:D5:0B:2C:45:C0:D9:76:59:58:76:70:3F:7F:81:59

(config-ssl)# view ca-certificate BC_Cloud_Services_Root_CA
Name:           BC_Cloud_Services_Root_CA
Issuer:
/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Subject:
/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Valid From:     Sep 06 12:00:00 2011 GMT
Valid Until:    Sep 05 11:59:59 2036 GMT
Fingerprint:
2B:4E:AF:4C:71:F5:F2:7F:BD:8F:0F:B5:5C:73:AB:C3:9F:15:14:7E

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services on virtual appliances:
    • Failures for more than 7 days will disable the license
  • Subscription download of WAF rules

Other issues, yet to be identified, might also occur.