Update the ABRCA Root CA Certificate on Advanced Secure Gateway Appliances

Products

Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your Advanced Secure Gateway appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

Warning: The continued operation of your Advanced Secure Gateway appliances requires that you ensure the system trust package is updated on your appliances. To ensure the uninterrupted operation of your appliances, perform one of the following updates immediately; if this is not possible, make it a priority to complete the update in a timely manner:

Request a new appliance certificate and update the trust package from appliance.bluecoat.com by December 18, 2021. See Retrieve a New Appliance Certificate and Update the Trust Package.
If you cannot retrieve a new appliance certificate and trust package from appliance.bluecoat.com by December 18, 2021, upgrade to a supported Advanced Secure Gateway release. See Upgrade to a Supported Advanced Secure Gateway Release.

Resolution

Retrieve a New Appliance Certificate and Update the Trust Package

Perform and verify the updates in this section before December 18, 2021; otherwise, see Upgrade to a Supported Advanced Secure Gateway Release.

Retrieve a New Appliance Certificate

To retrieve a new appliance certificate, use the following command line interface (CLI) commands:

#(config)ssl
#(config ssl)request-appliance-certificate
Requesting certificate
Verifying certificate
Loading factory certificate from keyring
Storing factory certificate in permanent store
PASSED

Update the Trust Package

The Advanced Secure Gateway trust package includes a list of trusted root CA certificates. Because Advanced Secure Gateway appliances automatically download the latest trust package every seven days by default, your appliances should have the latest trust package unless they were restricted from accessing appliance.bluecoat.com or the trust package auto-update settings were changed from their defaults.

Enable Automatic Trust Package Updates

To enable or confirm automatic trust package updates, use the following ProxySG CLI command:

#(config)security trust-package auto-update enable
ok

Command output indicates if the setting is already enabled. If your organization cannot enable trust package updates, see Download the Trust Package.

Verify the Trust Package

To verify if you have an appropriate trust package installed, use the following ProxySG command line interface (CLI) command:

#show security trust-package

In the command output, look for the date beside Creation time. If the date is October 13 2020 or later, no further steps are required for this appliance. Otherwise, proceed to the next section to download the trust package.

Download the Trust Package Manually

This step is only necessary if Verify the Trust Package did not result in a trust package dated October 13 2020 or later. Download the trust package using the following ProxySG CLI command:

#load trust-package
Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
The trust package has been successfully downloaded.
trust package successfully installed

After downloading the trust package, follow the instructions in Verify the Trust Package to ensure that the latest trust package is installed.

Note: If the trust package does not install correctly, see Upgrade to a Supported Advanced Secure Gateway Release.

Upgrade to a Supported Advanced Secure Gateway Release

Upgrade to a supported Advanced Secure Gateway release if any of the following are true:

you do not perform the manual updates by December 18, 2021; or
you download the trust package from a URL other than the default appliance.bluecoat.com; or
your Advanced Secure gateway appliances are in a closed environment; or
you have ever set the system clock to a date past October 2021. In this scenario, new trust packages might not install successfully even after you correct the system clock time.

The following releases include the fix for the system clock issue, an updated trust package, and a new mechanism to auto-update the appliance certificate:

Version 6.7.x: TBA
Version 7.2.x: TBA
Version 7.3.x: TBA

Monitor this KB article for updates and refer to upcoming Advanced Secure Gateway Release Notes to determine which versions have the fix.

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

Appliance certificate updates
Licensing automatic updates
Subscription updates
Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur.