How to re-sign OVA/OVF signed by SHA1 certs with SHA256
Article ID: 316381
Updated On:
Products
VMware vSphere ESXi
VMware vCenter Server
Issue/Introduction
Symptoms:
While importing a SHA1 signed OVF/OVA into content library or deploying a SHA1 signed OVF/OVA, UI displays a message 'The certificate is not trusted' as certificate chain cannot be validated.
To avoid this message, we need to add the certificate chain to the VECS Trusted Store. However, when we try to add the SHA1 root certificate to VECS store from CLI we get below error:
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /ovf_test.cert --login '{USERNAME}' --password '{PASSWORD}' --chain
where [email protected] and PASSWORD is the password for the given user.
Certificate with subject 'C=US, ST=test, L=test, O=test, OU=test, CN=test/emailAddress=test' uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak
While importing a SHA1 signed OVF/OVA into content library or deploying a SHA1 signed OVF/OVA, UI displays a message 'The certificate is not trusted' as certificate chain cannot be validated.
To avoid this message, we need to add the certificate chain to the VECS Trusted Store. However, when we try to add the SHA1 root certificate to VECS store from CLI we get below error:
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /ovf_test.cert --login '{USERNAME}' --password '{PASSWORD}' --chain
where [email protected] and PASSWORD is the password for the given user.
Certificate with subject 'C=US, ST=test, L=test, O=test, OU=test, CN=test/emailAddress=test' uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak
Cause
This happens because VC and ESXi will not support SHA1 starting in vSphere 8.0. Additionally, upgrades won't be allowed to vSphere 8.x if SHA1 Cert is found on VC or ESXi.
Resolution
Sign the OVF/OVA using SHA256 cert and then add the SHA256 cert chain to VECS Trusted Store.
1. Generate SHA256 intermediate CSR.
The openssl.cnf is present inside /System/Library/OpenSSL
openssl req -sha256 -new -nodes -keyout intercakey.pem -out intercareq.pem -config ./openssl.cnf
2. Sign intermediate CSR generated above with SHA256 Root Certificate
openssl x509 -sha256 -req -in intercareq.pem -CA <path-to-sha256-root.cert> -CAkey <path-to-CAKey.key> -days 3650 -CAcreateserial -out intercacert.pem
3. Combine intermediate key and certificate
cat intercakey.pem intercacert.pem > sha256cert.pem
4. Check information for a certificate
openssl x509 -in sha256cert.pem -text -noout
5. Use the signed intermediate certificate pem file and Ovftool to sign ovf package.
ovftool --shaAlgorithm=sha256 --privateKey=./sha256cert.pem <source OVF/OVA file> <output OVF/OVA file>
Note:
OVF items in CLS existing prior to upgrade will not be affected by this, as CLS does not store certificate and manifest with OVF/OVA library items.
1. Generate SHA256 intermediate CSR.
The openssl.cnf is present inside /System/Library/OpenSSL
openssl req -sha256 -new -nodes -keyout intercakey.pem -out intercareq.pem -config ./openssl.cnf
2. Sign intermediate CSR generated above with SHA256 Root Certificate
openssl x509 -sha256 -req -in intercareq.pem -CA <path-to-sha256-root.cert> -CAkey <path-to-CAKey.key> -days 3650 -CAcreateserial -out intercacert.pem
3. Combine intermediate key and certificate
cat intercakey.pem intercacert.pem > sha256cert.pem
4. Check information for a certificate
openssl x509 -in sha256cert.pem -text -noout
5. Use the signed intermediate certificate pem file and Ovftool to sign ovf package.
ovftool --shaAlgorithm=sha256 --privateKey=./sha256cert.pem <source OVF/OVA file> <output OVF/OVA file>
Note:
OVF items in CLS existing prior to upgrade will not be affected by this, as CLS does not store certificate and manifest with OVF/OVA library items.
Feedback
Yes
No
Powered by
