Update the ABRCA Root CA Certificate on PacketShaper Appliances

book

Article ID: 207670

calendar_today

Updated On:

Products

PacketShaper PacketShaper S-Series

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail.

Warning: The continued operation of your PacketShaper/PolicyCenter appliances requires that you replace the expiring trusted ABRCA root CA certificate with a new certificate on each appliance. To ensure the uninterrupted operation of your PacketShaper/PolicyCenter appliances, perform the updates described in this article immediately; if this is not possible, make it a priority to complete the updates by December 18, 2021.

Resolution

Required Step – Upgrade the PacketShaper/PolicyCenter OS: 

To update the ABRCA root CA certificate, you must upgrade PacketShaper/PolicyCenter to one of the following releases before the dates listed in the previous section:  

  • PacketShaper 11.10.2.5

  • PacketShaper 11.10.3.4

  • PolicyCenter 1.1.5

The new ABRCA root CA certificate is included in these releases. Upgrading to one of these releases automatically updates the ABRCA root CA certificate; no manual action is required. These releases also include a feature which automatically renews the appliance certificate (this is different from the ABRCA root CA) if it is within 60 days of expiring. 

Additional Steps

You must update the appliance certificate in addition to the ABRCA root CA certificate. The system can automatically download the appliance certificate or you can manually force the update of the appliance certificate using the command described in the next section.

 

Appliance Certificate Update Requirements

Ensure that the appliance can access the following domain:



Manually Renew the Appliance Certificate

To manually update the appliance certificate, use the following command:

acquire-cert

 

Update the Hardware Appliance Certificate in a Closed Environment

If the appliance is in a closed environment, you must do the following to update the appliance certificate:

 

Verify that You Have Successfully Upgraded Your Appliance  Certificate

Enter the following command to show the appliance certificate expiration date:

ver ver 

 

Consequences of an Expired ABRCA Root CA Certificate

If the ABRCA root CA certificate expires, you will not be able to update the appliance certificate. When the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Inability to download your license from Broadcom.

  • WebPulse service failure.

 

Other issues, yet to be identified, might also occur.