Update the ABRCA Root CA Certificate on Management Center Appliances

book

Article ID: 207144

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail.

Resolution

To ensure the uninterrupted operation of your Management Center appliances, you must replace the expiring ABRCA root CA certificate with a new certificate on each appliance immediately; if this is not possible, make it a priority to complete the updates by the following dates:

  • Management Center hardware appliances: December 18, 2021 

  • Management Center virtual appliances: November 15, 2021

A future Management Center software release will have the ability to automatically update the ABRCA root CA certificate. When the release is available, you can refer to the Release Notes for upgrade instructions. In the interim, you can follow the instructions in this article to update the root CA certificate on your Management Center hardware or virtual appliance using the command line interface (CLI). 

You can update the certificate on the appliance without making any other configuration changes.

Note:

  • You need to specify the trust-package URL only if you are not using the default URL. The default URL is: http://appliance.bluecoat.com/sgos/trust_package.bctp

  • You must be able to access the following domains:

  • If the appliance is on a closed network, you must manually download the trust package and host it on a file server accessible by Management Center. If you are running Management Center 3.x, you can host the trust package on the Management Center file archive. 

  • If the appliance is running Management Center 2.x, the trust package must be named trust_package.bctp. The file cannot be hosted locally in the MC file archive since the file archive creates a unique GUID filename.

Manually Update the Management Center ABRCA Root Certificate on a Physical Appliance

Log into the Management Center CLI and enter the following commands:

# enable
# configure terminal
(config)# ssl
(config-ssl)# trust-package url
(config-ssl)# trust-package download-now

Manually Update the Management Center ABRCA Root Certificate on a Virtual Appliance

Log into the Management Center CLI and enter the following commands:

# enable
# licensing load [username <value>] [password <value>]

Verify that the Update was Successful

To verify that the update was successful, enter the following command:

(config-ssl)# trust-package view
Trust package download completed. No update required

You can also view the individual certificates:

(config-ssl)# view ca-certificate ABRCA_root

Name:           ABRCA_root

Issuer:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:

/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Dec 19 05:40:48 2006 GMT

Valid Until:    Dec 18 05:40:48 2021 GMT

Fingerprint:

AE:4D:E4:18:6D:A5:06:C7:16:AA:A4:39:3F:4D:2E:68:B7:51:97:49 

(config-ssl)# view ca-certificate BC_Cloud_Services_Root_CA

Name:           BC_Cloud_Services_Root_CA

Issuer:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Subject:

/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA

Valid From:     Sep 06 12:00:00 2011 GMT

Valid Until:    Sep 05 11:59:59 2036 GMT

Fingerprint:

2B:4E:AF:4C:71:F5:F2:7F:BD:8F:0F:B5:5C:73:AB:C3:9F:15:14:7E

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services on virtual appliances:
    • Failures for more than 7 days will disable the license
  • Subscription download of WAF rules

Other issues, yet to be identified, might also occur.