OVA/OVF cannot be imported into vCenter Server 8.0 due to a weak certificate signature algorithm.
search cancel

OVA/OVF cannot be imported into vCenter Server 8.0 due to a weak certificate signature algorithm.

book

Article ID: 312035

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

The OVF/OVA digital signature is verified during import to content library or while deploying through the vCenter Server UI. In order to verify an OVF/OVA digital signature a trusted certificate must be added to the vCenter Server trust store. When attempting to add the trusted certificate to the trust store, the following error occurs:

# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /ovf_test.cert --login '{USERNAME}' --password '{PASSWORD}' --chain
Where [email protected] and PASSWORD is the password for the given user.

Certificate with subject 'C=US, ST=test, L=test, O=test, OU=test, CN=test/emailAddress=test' uses unsafe digest algorithm dir-cli failed.
Error 90022: Certificate's signature algorithm is weak.


Environment

VMware vCenter Server 8.0
VMware vCenter Server 8.0.1

Cause

Starting with vSphere 8.0, vCenter Server and ESXi no longer support certificates with a SHA-1 digital signature, or other similarly weak digital signature algorithms.

Resolution

Sign the OVF/OVA using a certificate chain that does not contain weak digital signatures.

For example, ensure that the certificate chain uses SHA-2 digital signatures. Certificates using a SHA-2 digital signature can be added to the vCenter Server trust store.

Follow the below mentioned steps:
                                                                                                                  

           1. Generate SHA256 intermediate CSR. 
openssl req -sha256 -new -nodes -keyout intercakey.pem -out intercareq.pem -config ./openssl.cnf

2. Sign intermediate CSR generated above with SHA256 Root Certificate
openssl x509 -sha256 -req -in intercareq.pem -CA <path-to-sha256-root.cert> -CAkey <path-to-CAKey.key> -days 3650 -CAcreateserial -out intercacert.pem

3. Combine intermediate key and certificate
cat intercakey.pem intercacert.pem > sha256cert.pem

4. Check information for a certificate
openssl x509 -in sha256cert.pem -text -noout

5. Use the signed intermediate certificate pem file and Ovftool to sign ovf package
ovftool --shaAlgorithm=sha256 --privateKey=./sha256cert.pem <source OVF/OVA file> <output OVF/OVA file>

 

Note:
OVF items in CLS existing prior to upgrade will not be affected by this as CLS does not store Certificate and manifest with OVF/OVA library items.


Powered by Wolken Software