Update the ABRCA Root CA Certificate on Advanced Secure Gateway Appliances (Revised: May 5, 2021)
Article ID: 207153
Updated On:
Products
Issue/Introduction
The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your Advanced Secure Gateway appliances. The new certificate will have an expiration date of December 31, 2037.
IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Advanced Secure Gateway requires a software upgrade to do proper certificate validation during Content Analysis subscription downloads.
The continued operation of your Advanced Secure Gateway appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.
Resolution
Retrieve a New Appliance Certificate
To retrieve a new appliance certificate, use the following command line interface (CLI) commands:
#(config)ssl
#(config ssl)request-appliance-certificate
Requesting certificate
Verifying certificate
Loading factory certificate from keyring
Storing factory certificate in permanent store
PASSED
Upgrade Advanced Secure Gateway
Upgrade to a supported Advanced Secure Gateway release.
| Release Version | Release Date |
| Advanced Secure Gateway 6.7.5.10 | Released on March 24, 2021 |
| Advanced Secure Gateway 7.2.6 | Released on April 13, 2021 |
| Advanced Secure Gateway 7.3.3 | Released on April 28, 2021 |
IMPORTANT: All Advanced Secure Gateway appliances must be updated to this version. Any previous versions will not be supported after November 2021.
For upgrade instructions, refer to KB 214293. You can download the software package from the Broadcom download portal.
Verify the Trust Package
After upgrading, verify that an appropriate trust package is installed. Use the following ProxySG CLI command:
#show security trust-package
In the command output, look for the date beside Creation time. The date should be October 13 2020 or later.
Consequences of an Expired Appliance Certificate
If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:
- Appliance certificate updates
- Licensing automatic updates
- Subscription updates
- Diagnostics and Heartbeat uploads
Other issues, yet to be identified, might also occur.
Feedback
