This is when trying to deply a new PAM OVA on VMWare.
While the OVA is being deployed, it stops with an error "The OVF package is signed with an invalid certificate.".
As a result, the OVA is not deployed.
Release : All versions of PAM
Component : PRIVILEGED ACCESS MANAGEMENT
It is in fact due to the expired certificate.
Official Solution:
OVAs have been signed with new certificate so customer should download the new OVA and attempt the deploy again.
A workaround:
Broadcom/CA do not recommend this so this need to be performed at your discretion. (This article was made available when the newly signed OVA was not yet made available)
You can use ovftool.exe (which is VMWare tool, not part of PAM) to ignore the expired certificate.
ovftool.exe --skipManifestCheck {SOURCE-PACKAGE-PATH\SOURCE-PACKAGE-FILENAME} {DESTINATION-PACKAGE-PATH\NEW-PACKAGE-FILENAME}
This tool will repackage the OVA (the new package file)with skipmanifestcheck option so the newly packaged ova will deploy without certificate error.
Example:
ovftool.exe --skipManifestCheck DVD500000000002833.ova NOCHECK.ova
Then this NOCHECK.ova file deployment would not check for certificate validity.
If you extract this NOCHECK.ova file, you will find a difference.
Following is from the original OVA.
Reference: https://communities.vmware.com/thread/572021
Download ovftool: https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=OVFTOOL350