The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of December 31, 2037.
As per guidelines in article Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: September 7, 2021) you upgraded your CAS-S200 to 220.127.116.11 or 18.104.22.168 version.
The trust package download works, but the expiry date is not updated correctly.
Problem is caused by a bug NPPCAS-68847
There is a specific situation when a trust package update fails in this case.
CAS works in an environment that denies any communication outbound from any source other than the proxy. When going through the proxy package is downloaded, but not verified, hence not correctly updated.
Log in to web console
Browse to Settings > Proxy
You can manually download the trust package and host it on a file server that the appliance can access. You can use Symantec Management Center to host package, please check this article how to: Upload Files to Management Center
Then, on the Content Analysis, specify this file server location in the load trust-package command:
The 2.4.2.x version is mainly meant for CAS-S200 hardware, as it does not support the 3.x version. If you have S400 or S500 hardware, you can upgrade the device to the latest 3.x version in order to resolve the problem. Please check release notes to verify upgrade path.