ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

PAM OVA Deployment fails with Invalid Certificate error

book

Article ID: 133373

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

This is when trying to deply a new PAM OVA on VMWare.

While the OVA is being deployed, it stops with an error "The OVF package is signed with an invalid certificate.".

As a result, the OVA is not deployed.



Cause

It is in fact due to the expired certificate.


The certificate used for signing the OVA has expired on 4th June 2019.


Environment

Release : All versions of PAM

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Official Solution:

OVAs have been signed with new certificate so customer should download the new OVA and attempt the deploy again.


A workaround:

Broadcom/CA do not recommend this so this need to be performed at your discretion. (This article was made available when the newly signed OVA was not yet made available)


You can use ovftool.exe (which is VMWare tool, not part of PAM) to ignore the  expired certificate.

ovftool.exe  --skipManifestCheck {SOURCE-PACKAGE-PATH\SOURCE-PACKAGE-FILENAME}  {DESTINATION-PACKAGE-PATH\NEW-PACKAGE-FILENAME}

This tool will repackage the OVA (the new package file)with skipmanifestcheck option so the newly packaged ova will deploy without certificate error.


Example:


ovftool.exe   --skipManifestCheck   DVD500000000002833.ova   NOCHECK.ova



Then this NOCHECK.ova file deployment would not check for certificate validity.


If you extract this NOCHECK.ova file, you will find a difference.


The included file names are now different but more importantly there is no "*.cert" file now because it would not check for it anymore.

Following is from the original OVA.


Additional Information

Reference: https://communities.vmware.com/thread/572021

Download ovftool: https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=OVFTOOL350

Attachments