The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail.
To ensure the uninterrupted operation of your Management Center appliances, you must replace the expiring ABRCA root CA certificate with a new certificate on each appliance immediately; if this is not possible, make it a priority to complete the updates by the following dates:
Management Center hardware appliances: December 18, 2021
Management Center virtual appliances: November 15, 2021
A future Management Center software release will have the ability to automatically update the ABRCA root CA certificate. When the release is available, you can refer to the Release Notes for upgrade instructions. In the interim, you can follow the instructions in this article to update the root CA certificate on your Management Center hardware or virtual appliance using the command line interface (CLI).
You can update the certificate on the appliance without making any other configuration changes.
Note:
You need to specify the trust-package URL only if you are not using the default URL. The default URL is: http://appliance.bluecoat.com/sgos/trust_package.bctp
You must be able to access the following domains:
abrca.bluecoat.com - for appliance certificate download
appliance.bluecoat.com - for trust package download
If the appliance is on a closed network, you must manually download the trust package and host it on a file server accessible by Management Center. If you are running Management Center 3.x, you can host the trust package on the Management Center file archive.
If the appliance is running Management Center 2.x, the trust package must be named trust_package.bctp. The file cannot be hosted locally in the MC file archive since the file archive creates a unique GUID filename.
Log into the Management Center CLI and enter the following commands:
# enable
# configure terminal
(config)# ssl
(config-ssl)# trust-package url
(config-ssl)# trust-package download-now
Manually Update the Management Center ABRCA Root Certificate on a Virtual Appliance
Log into the Management Center CLI and enter the following commands:
# enable
# licensing load [username <value>] [password <value>]
To verify that the update was successful, enter the following command:
(config-ssl)# trust-package view
Trust package download completed. No update required
You can also view the individual certificates:
(config-ssl)# view ca-certificate ABRCA_root
Name: ABRCA_root
Issuer:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]
Subject:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]
Valid From: Dec 19 05:40:48 2006 GMT
Valid Until: Dec 18 05:40:48 2021 GMT
Fingerprint:
AE:4D:E4:18:6D:A5:06:C7:16:AA:A4:39:3F:4D:2E:68:B7:51:97:49
(config-ssl)# view ca-certificate BC_Cloud_Services_Root_CA
Name: BC_Cloud_Services_Root_CA
Issuer:
/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA
Subject:
/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA
Valid From: Sep 06 12:00:00 2011 GMT
Valid Until: Sep 05 11:59:59 2036 GMT
Fingerprint:
2B:4E:AF:4C:71:F5:F2:7F:BD:8F:0F:B5:5C:73:AB:C3:9F:15:14:7E
If the appliance certificate expires, the following failures might occur:
Other issues, yet to be identified, might also occur.