The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail. See the end of this article for additional details.
Warning: The continued operation of your PolicyCenter appliances requires that you upgrade PolicyCenter and complete the following steps in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.
If you fail to update your PolicyCenter appliances before the root CA expires in December 2021, your appliances might experience failures as described in "Consequences of an Expired Appliance Certificate." The steps to renew the certificate are identical, whether you renew the root CA before, or after, the certificate expires. To renew the certificate, follow the steps in this article to upgrade to a new build that contains the updated trust package.
To update the ABRCA root CA certificate, you must upgrade PolicyCenter to one of the following releases before the dates listed in the previous section:
The new ABRCA root CA certificate is included in these releases. Upgrading to one of these releases automatically updates the ABRCA root CA certificate; no manual action is required. These releases also include a feature that automatically renews the appliance certificate (this is different from the ABRCA root CA) if it is within 60 days of expiring.
You must update the appliance certificate in addition to the ABRCA root CA certificate. The system can automatically download the appliance certificate or you can manually force the update of the appliance certificate using the commands described in the next sections.
Ensure that the appliance can access the abrca.bluecoat.com domain, as described in Required Ports, Protocols, and Services for Symantec Enterprise Security Products.
To manually update the appliance certificate, use the following command:
You may have to run the following command first (if 'acquire-cert' command is not available):
PolicyCenter# pc showdebug 1
Then run the following command:
Successfully acquired PolicyCenter birth certificate.
If the appliance is in a closed environment, you must do the following to update the appliance certificate:
Add a firewall exception for abrca.bluecoat.com.
Enter the following command to show the appliance certificate expiration date:
PolicyCenter# ver ver
PolicyCenter# ver ver
Version: PolicyCenter 126.96.36.199 build 261254 (DEBUG)
Product: PolicyCenter S400
Part Number: xxxxxxxxxx-12345 REV BN
Serial Number: xxxxxxxxxx
Memory: 15.9GB RAM, 4GB System Disk total, 3.1GB System Disk available
mgmt MAC Address: 00:d0:83:09:64:a3
Slot2_in MAC Address: 00:d0:83:09:64:a5
Slot2_out MAC Address: 00:d0:83:09:64:a6
Slot3_in MAC Address: 00:e0:ed:31:82:3c
Slot3_out MAC Address: 00:e0:ed:31:82:3d
ABRCA root certificate expires Dec 31 00:04:16 2037 GMT
Appliance birth certificate expires May 14 18:32:59 2026 GMT
Visibility: Activation 2020-08-12, Expiration Never
Control: Activation 2020-08-12, Expiration Never
FDR: Activation 2020-08-12, Expiration Never
Packet Capture: Activation 2020-08-12, Expiration Never
If the ABRCA root CA certificate expires, you will not be able to update the appliance certificate. When the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:
Inability to download your license from Broadcom.
WebPulse service failure.
Other issues, yet to be identified, might also occur.