Update the ABRCA Root CA Certificate on Advanced Secure Gateway Appliances (Revised: May 5, 2021)

book

Article ID: 207153

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your Advanced Secure Gateway appliances. The new certificate will have an expiration date of December 31, 2037.

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Advanced Secure Gateway requires a software upgrade to do proper certificate validation during Content Analysis subscription downloads. 

The continued operation of your Advanced Secure Gateway appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.

Resolution

Retrieve a New Appliance Certificate

To retrieve a new appliance certificate, use the following command line interface (CLI) commands:

#(config)ssl
#(config ssl)request-appliance-certificate
Requesting certificate
Verifying certificate
Loading factory certificate from keyring
Storing factory certificate in permanent store
PASSED
 

Upgrade Advanced Secure Gateway

Upgrade to a supported Advanced Secure Gateway release.

Release Version Release Date
Advanced Secure Gateway 6.7.5.10 Released on March 24, 2021
Advanced Secure Gateway 7.2.6 Released on April 13, 2021
Advanced Secure Gateway 7.3.3 Released on April 28, 2021

 

IMPORTANT: All Advanced Secure Gateway appliances must be updated to this version. Any previous versions will not be supported after November 2021.

For upgrade instructions, refer to KB 214293. You can download the software package from the Broadcom download portal.

 

Verify the Trust Package

After upgrading, verify that an appropriate trust package is installed. Use the following ProxySG CLI command:

#show security trust-package

In the command output, look for the date beside Creation time. The date should be October 13 2020 or later.

 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Appliance certificate updates
  • Licensing automatic updates
  • Subscription updates
  • Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur.