Trust package update does not update ABRCA Root CA Certificate on Content Analysis Appliance version and
search cancel

Trust package update does not update ABRCA Root CA Certificate on Content Analysis Appliance version and


Article ID: 225106


Updated On:


Content Analysis Software


The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of December 31, 2037.

As per guidelines in article Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: September 7, 2021) you upgraded your CAS-S200 to or version.
The trust package download works, but the expiry date is not updated correctly.


There is a specific situation when a trust package update fails in this case. 
CAS works in an environment that denies any communication outbound from any source other than the proxy. When going through the proxy package is downloaded, but not verified, hence not correctly updated.


Problem is caused by a bug NPPCAS-68847


1. Try to update the Trust Package by going without proxy in path.

  1. Log in to web console

  2. Browse to Settings > Proxy

2. Update the Trust Package for Content Analysis by hosting it on internal web server.

You can manually download the trust package and host it on a file server that the appliance can access. You can use Symantec Management Center to host package, please check this article how to: Upload Files to Management Center
Then, on the Content Analysis, specify this file server location in the load trust-package command: 

  1. Download the trust package from
  2. Save the trust package to a location in the local network that the appliance can access via HTTP.
  3. In the CAS CLI, specify the download URL and load the trust package:

  4. CAS(config)# ssl trust-package url ?

    Possible completions:

    This is the default url that CAS uses to download it.

    CAS(config)# ssl trust-package url http://mylocalserver/trust_package_update.bctp

    then download-now trust package
    CAS# ssl trust-package download-now

3. Verify ABRCA expiry date:

CAS# show ssl ca-certificate ABRCA_root

Additional Information

The 2.4.2.x version is mainly meant for CAS-S200 hardware, as it does not support the 3.x version. If you have S400 or S500 hardware, you can upgrade the device to the latest 3.x version in order to resolve the problem. Please check release notes to verify upgrade path.