PAM OVA Deployment fails with Invalid Certificate error
Article ID: 133373
Updated On:
Products
Issue/Introduction
This is when trying to deply a new PAM OVA on VMWare.
While the OVA is being deployed, it stops with an error "The OVF package is signed with an invalid certificate.".
As a result, the OVA is not deployed.
Environment
Release : All versions of PAM
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
It is in fact due to the expired certificate.
Resolution
Official Solution:
OVAs have been signed with new certificate so customer should download the new OVA and attempt the deploy again.
A workaround:
Broadcom/CA do not recommend this so this need to be performed at your discretion. (This article was made available when the newly signed OVA was not yet made available)
You can use ovftool.exe (which is VMWare tool, not part of PAM) to ignore the expired certificate.
ovftool.exe --skipManifestCheck {SOURCE-PACKAGE-PATH\SOURCE-PACKAGE-FILENAME} {DESTINATION-PACKAGE-PATH\NEW-PACKAGE-FILENAME}
This tool will repackage the OVA (the new package file)with skipmanifestcheck option so the newly packaged ova will deploy without certificate error.
Example:
ovftool.exe --skipManifestCheck DVD500000000002833.ova NOCHECK.ova
Then this NOCHECK.ova file deployment would not check for certificate validity.
If you extract this NOCHECK.ova file, you will find a difference.
Following is from the original OVA.
Additional Information
Reference: https://communities.vmware.com/thread/572021
Download ovftool: https://my.vmware.com/web/vmware/details?productId=352&downloadGroup=OVFTOOL350
Feedback
