The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your Advanced Secure Gateway appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
Warning: The continued operation of your Advanced Secure Gateway appliances requires that you ensure the system trust package is updated on your appliances. To ensure the uninterrupted operation of your appliances, perform one of the following updates immediately; if this is not possible, make it a priority to complete the update in a timely manner:
Perform and verify the updates in this section before December 18, 2021; otherwise, see Upgrade to a Supported Advanced Secure Gateway Release.
To retrieve a new appliance certificate, use the following command line interface (CLI) commands:
#(config)ssl
#(config ssl)request-appliance-certificate
Requesting certificate
Verifying certificate
Loading factory certificate from keyring
Storing factory certificate in permanent store
PASSED
The Advanced Secure Gateway trust package includes a list of trusted root CA certificates. Because Advanced Secure Gateway appliances automatically download the latest trust package every seven days by default, your appliances should have the latest trust package unless they were restricted from accessing appliance.bluecoat.com or the trust package auto-update settings were changed from their defaults.
Enable Automatic Trust Package Updates
To enable or confirm automatic trust package updates, use the following ProxySG CLI command:
#(config)security trust-package auto-update enable
ok
Command output indicates if the setting is already enabled. If your organization cannot enable trust package updates, see Download the Trust Package.
To verify if you have an appropriate trust package installed, use the following ProxySG command line interface (CLI) command:
#show security trust-package
In the command output, look for the date beside Creation time. If the date is October 13 2020 or later, no further steps are required for this appliance. Otherwise, proceed to the next section to download the trust package.
This step is only necessary if Verify the Trust Package did not result in a trust package dated October 13 2020 or later. Download the trust package using the following ProxySG CLI command:
#load trust-package
Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
The trust package has been successfully downloaded.
trust package successfully installed
After downloading the trust package, follow the instructions in Verify the Trust Package to ensure that the latest trust package is installed.
Note: If the trust package does not install correctly, see Upgrade to a Supported Advanced Secure Gateway Release.
Upgrade to a supported Advanced Secure Gateway release if any of the following are true:
The following releases include the fix for the system clock issue, an updated trust package, and a new mechanism to auto-update the appliance certificate:
Monitor this KB article for updates and refer to upcoming Advanced Secure Gateway Release Notes to determine which versions have the fix.
If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:
Other issues, yet to be identified, might also occur.