This issue applies to any PAM version OVA file. Say, a customer may have deployed PAM version 3.2 OVA file DVD500000000001333.OVA at some point in time. Note the OVA files are signed with a certificate and the certificate has a validity period that is checked during deployment. Post the validity period expiry if customer re-deploys the OVA on the VMWare, then the deployment will fail with the error message "The OVF package is signed with an invalid certificate."  as shown below: 

Release :

Component : PRIVILEGED ACCESS MANAGEMENT

The root cause is that signing certificate related to the OVA has expired on 4th June 2019.

The certificate used for signing the OVA has expired on 4th June 2019.

*** Use this resolution as an example when encountered with the error -  "The OVF package is signed with an invalid certificate." , to indicate that a newer OVA file needs to be downloaded and deployed. 

1. Please navigate to Broadcom support portal (via https://support.broadcom.com/). Pick the version as 3.2 and click on "CA Privileged Access Manager Virtual Appliance MSP DEBIAN"

2. Please download PRIVILEGED ACCESS MANGER R3.2B - ESD ONLY DVD500000000002833.ova

OVA file is just a tar file containing several files so it can be extracted using tools like 7zip.

capam-3.2.0.331.cert is the certificate that was used for signing the OVA.

For convenience, you can rename the file to be "capam-3.2.0.331.cert.crt" and just double click on it to view the certificate content.

You can see the certificate is valid until year 2021.

SHA1 hash of the new OVA is 46d3420fc5e11dd48bb05d7ce06616a2b7fac776

Please refer to a related knowledge base article - KB #133373