search cancel

Update the ABRCA Root CA Certificate on Management Center Appliances (Revised: November 08, 2021)

book

Article ID: 207144

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail. See the end of this article for additional details. 

 

Resolution

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient for all products. Management Center requires a software upgrade to do proper certificate validation during subscription downloads.

If you are running Management Center 3.x, you must do the following:

  • Upgrade Management Center to MC 3.2.1.1 (or later). MC 3.2.1.1 (and later) includes the new ABRCA root CA certificate.
  • Verify that the trust package and appliance certificate were updated properly.

If you are running Management Center 2.4, you must do the following:

  • Upgrade Management Center to MC 2.4.3.1 (or later). MC 2.4.3.1 (and later) includes the new ABRCA root CA certificate.
  • Manually update the appliance certificate. The appliance certificate does not automatically update itself in MC 2.4.3.1. You can update the appliance certificate before, or after, upgrading to MC 2.4.3.1.
  • Verify that the trust package and appliance certificate were updated properly.

The continued operation of your Management Center appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021 to allow for adequate testing and troubleshooting before the certificate expires.

Upgrade Management Center to a Release that Contains the Updated ABRCA Root CA Certificate

The following Management Center releases include the updated ABRCA root CA certificate.

IMPORTANT: Before upgrading, refer to the release notes for the software version you are upgrading to. The release notes include upgrade path requirements and other important information. Download the software package and release notes from the Broadcom download portal.

For information about downloading Symantec software, refer to this article.

Release Release Date Upgrade Instructions 
MC 3.2.1.1 August 09, 2021 Procedure
MC 2.4.3.1 August 20, 2021 Procedure

Monitor this KB article for any updates to this release schedule. 

Update the Appliance Certificate 

Refer to the appropriate instructions to update the appliance certificate:

 

Update the Hardware Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a hardware appliance, log into the Management Center CLI and enter the following command:

# request-appliance-certificate
ok

Update the Virtual Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a virtual appliance (VA), log into the Management Center CLI and enter the following command:

(config)# licensing load username <username> password <password>
ok

where <username> and <password> are your Broadcom licensing portal credentials.

If the appliance is in a closed environment, see the next section.

Update the Virtual Appliance Certificate in a Closed Environment

In a closed environment, you must manually download the license file and host it on a file server that the appliance can access, or install it inline. 

To update the virtual appliance certificate in a closed environment:

  1. Generate the license key from the Broadcom Support Portal following the instructions for Symantec products in KB145804. Specify a passphrase before generating the license key to ensure that the license includes appliance certificate information.
  2. Download the license key and put it on a file server the appliance can access.
  3. Install the license via the CLI using one of the following methods:

Install from file server


(config)# licensing load url <url> passphrase <passphrase>

where <url> is the location of the file and <passphrase> is the passphrase you specified on the Support Portal.

 

Install inline


Open the license file and copy its contents. Paste the contents using the following command.

(config)# licensing inline license-key passphrase <passphrase>

where <passphrase> is the passphrase you specified on the Support Portal.

Verify that the Appliance Birth Certificate Has Been Updated - MC VA

Enter the following command:

(config-ssl)# view keyring bluecoat-appliance
Keyring ID:                 bluecoat-appliance
Private key showability:    show
Signing request:            absent
Certificate:                present
Certificate subject:        C=US,ST=California,O=Blue Coat Systems, Inc.,OU=Blue Coat SGVA Series,CN=1000413203
Certificate issuer:         C=US,ST=California,L=San Jose,O=Broadcom Inc.,OU=ABRCA,CN=Virtual Appliance Birth Certificate Intermediate CA
Certificate valid from:     May 06 03:06:24 2021 GMT
Certificate valid to:       May 07 10:06:25 2026 GMT
Certificate thumbprint:     B9:BF:68:B7:34:E7:95:E0:8B:EF:CE:FD:B7:DF:DA:31:0C:C0:4A:23

In the command output, look for the "Certificate issuer" line. If the upgrade was successful, the "CN="  value is "Virtual Appliance Birth Certificate Intermediate CA."

Verify that the Appliance Birth Certificate Has Been Updated - MC Hardware Appliance

(config-ssl)# view keyring bluecoat-appliance
  Keyring ID:                 bluecoat-appliance
  Private key showability:    no-show
  Key type:                   RSA
  Key size:                   2048 bits
  Signing request:            absent
  Certificate:                present
  Certificate subject:        C=US,ST=CA,O='Blue Coat Systems',OU=CLP,CN=5113320396
  Certificate issuer:         C=US,ST=California,L=Sunnyvale,O=Blue Coat Systems, Inc.,OU=Blue Coat, ABRCA,CN=abrca.bluecoat.com,[email protected]bluecoat.com
  Certificate valid from:     Oct 19 18:52:43 2021 GMT
  Certificate valid to:       Oct 20 18:52:43 2026 GMT
  Certificate thumbprint:     9F:A6:5F:89:FA:42:7D:69:5B:82:0B:09:8D:19:25:F8:C1:2E:8D:CB

Verify that the Trust Package Update was Successful–All Upgrade Paths

To verify that the trust package update was successful, enter the following command:

(config-ssl)# trust-package view
Trust package download completed. No update required

You can also view the individual certificate. The certificate should have a Valid Until date of Dec 31 2037:

(config-ssl)# view ca-certificate ABRCA_root
Name:           ABRCA_root
Issuer:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Subject:
/C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=Blue Coat, ABRCA/CN=abrca.bluecoat.com/[email protected]

Valid From:     Sep 11 12:04:16 2020 GMT
Valid Until:    Dec 31 12:04:16 2037 GMT
Fingerprint:
B9:95:41:1D:7F:D5:0B:2C:45:C0:D9:76:59:58:76:70:3F:7F:81:59
 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following failures might occur:

  • Appliance certificate update
  • Licensing updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads
  • License validation services on virtual appliances:
    • Failures for more than 7 days will disable the license
  • Subscription download of WAF rules

Other issues, yet to be identified, might also occur. 

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Management Center appliances before the root CA expires in December 2021, your appliances might experience failures as described in "Consequences of an Expired Appliance Certificate." The steps to renew the certificate are identical, whether you renew the root CA before, or after, the certificate expires. To renew the certificate, follow the steps in this article to upgrade to a new build that contains the updated trust package.