The OVF/OVA digital signature is verified during import to content library or while deploying through the vCenter Server UI. In order to verify an OVF/OVA digital signature a trusted certificate must be added to the vCenter Server trust store. When attempting to add the trusted certificate to the trust store, the following error occurs:
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /ovf_test.cert --login '{USERNAME}' --password '{PASSWORD}' --chain
Where [email protected] and PASSWORD is the password for the given user.
Certificate with subject 'C=US, ST=test, L=test, O=test, OU=test, CN=test/emailAddress=test' uses unsafe digest algorithm dir-cli failed.
Error 90022: Certificate's signature algorithm is weak.
Starting with vSphere 8.0, vCenter Server and ESXi no longer support certificates with a SHA-1 digital signature, or other similarly weak digital signature algorithms.
Sign the OVF/OVA using a certificate chain that does not contain weak digital signatures.
For example, ensure that the certificate chain uses SHA-2 digital signatures. Certificates using a SHA-2 digital signature can be added to the vCenter Server trust store.
Follow the below mentioned steps:
2. Sign intermediate CSR generated above with SHA256 Root Certificate
openssl x509 -sha256 -req -in intercareq.pem -CA <path-to-sha256-root.cert> -CAkey <path-to-CAKey.key> -days 3650 -CAcreateserial -out intercacert.pem
3. Combine intermediate key and certificate
cat intercakey.pem intercacert.pem > sha256cert.pem
4. Check information for a certificate
openssl x509 -in sha256cert.pem -text -noout
5. Use the signed intermediate certificate pem file and Ovftool to sign ovf package
ovftool --shaAlgorithm=sha256 --privateKey=./sha256cert.pem <source OVF/OVA file> <output OVF/OVA file>
Note:
OVF items in CLS existing prior to upgrade will not be affected by this as CLS does not store Certificate and manifest with OVF/OVA library items.