Update the ABRCA Root CA Certificate on Advanced Secure Gateway Appliances (Revised: September 23, 2021)

book

Article ID: 207153

calendar_today

Updated On:

Products

ASG-S200 ASG-S400 ASG-S500

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your Advanced Secure Gateway appliances. The new certificate will have an expiration date of December 31, 2037.

The continued operation of your Advanced Secure Gateway appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, you must request a new appliance certificate and perform a software update as soon as possible to allow for adequate testing and troubleshooting before the certificate expires. 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Appliance certificate updates
  • Automatic and manual license updates from Symantec servers 
    (After the appliance certificate expires, you can install a license manually; refer to KB223947.)
  • Subscription updates
  • Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur. To prevent these issues from occurring, perform the steps described below as soon as possible.

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Advanced Secure Gateway appliances before the root CA expires in December 2021, the appliances might experience failures as described above. To renew the certificate, follow the steps described in the Resolution section below.

Resolution

Perform the following steps in the specified order:

  1. Upgrade Advanced Secure Gateway to a supported release in timely manner. See Upgrade Advanced Secure Gateway.
  2. Ensure the latest trust package is installed. See Verify the Trust Package.
  3. Update the appliance certificate. See Retrieve a New Appliance Certificate.

1. Upgrade Advanced Secure Gateway

Upgrade to a supported Advanced Secure Gateway release as soon as possible to allow for adequate testing and troubleshooting before the certificate expires in December 2021. 

Release Version Release Date
Advanced Secure Gateway 6.7.4.17 June 28, 2021
Advanced Secure Gateway 6.7.5.12 June 28, 2021
Advanced Secure Gateway 7.2.7.2 June 28, 2021
Advanced Secure Gateway 7.3.3.3 June 28, 2021

IMPORTANT: All Advanced Secure Gateway appliances must be updated to one of these versions or later. Any previous versions will not be supported after November 2021.

Note: Earlier Advanced Secure Gateway versions were previously released with the updated ABRCA root CA certificate. For best security, please upgrade to one of the supported versions above instead. These releases include a critical security vulnerability fix; see SYMSA18331 for more information.

For upgrade instructions, refer to the Advanced Secure Gateway Upgrade documentation. You can download the software package from the Broadcom download portal.

 

2. Verify the Trust Package

After upgrading, verify that an appropriate trust package is installed. Use the following ProxySG command line interface (CLI) command:

#show ssl summary ca-certificate ABRCA_root
Certificate ID:           ABRCA_root

Certificate Issuer:       Blue Coat Systems, Inc.

Valid from:               Sep 11 00:04:16 2020 GMT

Valid to:                 Dec 31 00:04:16 2037 GMT

Thumbprint:               B7:C6:E2:0F:35:64:1E:E5:D3:FC:CA:3F:A8:B5:79:12

In the command output, look for the date beside 'Valid from'. The date should be Sep 11 2020 or later.

Note: Updating Advanced Secure Gateway to one of supported versions listed above should also automatically update the trust package to a supported version. If the #show ssl summary ca-certificate ABRCA_root command shows an older 'Valid from' date after upgrading Advanced Secure Gateway, update the trust package manually; see the following instructions.

Download the Trust Package Manually

This step is only necessary if the #show ssl summary ca-certificate ABRCA_root command does not show a 'Valid from' date of Sept 11 or later. Download the trust package by performing one of the following procedures, depending on your deployment:

If the appliance can access appliance.bluecoat.com, see Download the Trust Package from Symantec Servers. If the appliance is in a closed environment, see Update the Trust Package in a Closed Environment.

Download the Trust Package from Symantec Servers

To download the trust package manually, use the following ProxySG CLI command:

#load trust-package
    Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
    trust package successfully installed

After downloading the trust package, issue the #show ssl summary ca-certificate ABRCA_root command (see Verify the Trust Package) to ensure that the latest trust package is installed.

Update the Trust Package in a Closed Environment

In a closed environment, you must manually download the trust package and host it on a file server that the appliance can access. Then, on the Advanced Secure Gateway appliance, specify this file server location in the #load trust-package command: 

  1. Download the trust package from http://appliance.bluecoat.com/sgos/trust_package.bctp.
    If clicking the previous link does not initiate the download, right-click the link and select Save As to download the file.
  2. Save the trust package to a location in the local network that the appliance can access via HTTP.
  3. Specify the download URL and load the trust package:
# (config) security trust-package download-path <local_URL>
  ok
#(config) exit
# load trust-package
  Downloading from "http://your_domain/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
    trust package successfully installed

 

3. Retrieve a New Appliance Certificate

To retrieve a new appliance certificate, use the following CLI commands:

#(config)ssl
#(config ssl)request-appliance-certificate
Requesting certificate
Verifying certificate
Loading factory certificate from keyring
Storing factory certificate in permanent store
PASSED

Refer to KB article 168179 for more information on updating the appliance certificate. To update the appliance certificate in a closed environment, refer to KB article 222712.