Trust package update does not update ABRCA Root CA Certificate on Content Analysis Appliance version 2.4.2.1 and 2.4.2.2

book

Article ID: 225106

calendar_today

Updated On:

Products

Content Analysis Software

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of December 31, 2037.

As per guidelines in article Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: September 7, 2021) you upgraded your CAS-S200 to 2.4.2.1 or 2.4.2.2 version.
The trust package download works, but the expiry date is not updated correctly.

Cause

Problem is caused by a bug NPPCAS-68847

Environment

There is a specific situation when a trust package update fails in this case. 
CAS works in an environment that denies any communication outbound from any source other than the proxy. When going through the proxy package is downloaded, but not verified, hence not correctly updated.

Resolution

1. Try to update the Trust Package by going without proxy in path.

  1. Log in to web console

  2. Browse to Settings > Proxy


2. Update the Trust Package for Content Analysis by hosting it on internal web server.

You can manually download the trust package and host it on a file server that the appliance can access. You can use Symantec Management Center to host package, please check this article how to: Upload Files to Management Center
Then, on the Content Analysis, specify this file server location in the load trust-package command: 

  1. Download the trust package from  http://appliance.bluecoat.com/sgos/trust_package.bctp.
  2. Save the trust package to a location in the local network that the appliance can access via HTTP.
  3. In the CAS CLI, specify the download URL and load the trust package:

  4. CAS(config)# ssl trust-package url ?

    Possible completions:
      <string>[http://appliance.bluecoat.com/sgos/trust_package.bctp]

    This is the default url that CAS uses to download it.

    CAS(config)# ssl trust-package url http://mylocalserver/trust_package_update.bctp

    then download-now trust package
    CAS(config)#exit
    CAS# ssl trust-package download-now

3. Verify ABRCA expiry date:

CAS# show ssl ca-certificates ABRCA_root

Additional Information

The 2.4.2.x version is mainly meant for CAS-S200 hardware, as it does not support the 3.x version. If you have S400 or S500 hardware, you can upgrade the device to the latest 3.x version in order to resolve the problem. Please check release notes to verify upgrade path.