Deploying OVA shows "Invalid Certificate" on vCenter 7.0U2, but shows "Trusted certificate" in older versions
Article ID: 336085
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This document provides steps to make an OVA/OVF package trusted in vCenter Server versions 7.0U2 and above
Symptoms:
Symptoms:
- When importing an OVA/OVFs into vCenter 7.0U2 or higher version, the "Deploy OVF Template" wizard shows the publisher certificate as "invalid" or "not trusted". The same package when imported on an older version of vCenter Server shows "Trusted"
- In the review details screen while deploying OVF/OVA template, you see error similar to:
Error: "The Certificate is not trusted".
- In cls.log, you see entries similar to:
CertPathBuilderException while validating certificate chain
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
Environment
VMware vCenter Server 7.0.x
Cause
Prior to vCenter 7.0 U2, there was minimal certificate verification done on OVA/OVF packages.
Starting 7.0 U2, the OVF signing certificates are verified for their expiry, validity and checked if the signing certificate is trusted. This means that the entire chain of the signing certificate should be trusted against the VECS store.
Starting 7.0 U2, the OVF signing certificates are verified for their expiry, validity and checked if the signing certificate is trusted. This means that the entire chain of the signing certificate should be trusted against the VECS store.
Resolution
To avoid this warning, add the signing certificate to VECS store by following these steps.
1. Get the OVF/OVA signing certificate's chain ( root CA and intermediate certificates, if any ). You can use any certificate chain resolver to find the missing certificates from the chain.
2. Add the intermediate and root certificates to VECS store.
a. login to vCenter as administrator
b. From drop down menu select administration -> Certificates -> Certificate Management
c. Click "ADD" next to Trusted Roots Certificates
d. Browse and select the certificate(s) found in step 1.
To ignore the warning, click "Ignore" next to warning "The certificate is not trusted"
1. Get the OVF/OVA signing certificate's chain ( root CA and intermediate certificates, if any ). You can use any certificate chain resolver to find the missing certificates from the chain.
2. Add the intermediate and root certificates to VECS store.
a. login to vCenter as administrator
b. From drop down menu select administration -> Certificates -> Certificate Management
c. Click "ADD" next to Trusted Roots Certificates
d. Browse and select the certificate(s) found in step 1.
To ignore the warning, click "Ignore" next to warning "The certificate is not trusted"
Feedback
Yes
No
Powered by
