Importing OVF fails in FIPS mode if the signing key is shorter than 1024 bits
Article ID: 320999
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides information on why signed OVF packages can no longer be imported to FIPS mode in vSphere if the signing key is too short.
Symptoms:
In FIPS mode, if the signing key is shorter than 1024 bits, you experience these symptoms:
Symptoms:
In FIPS mode, if the signing key is shorter than 1024 bits, you experience these symptoms:
- Import of the OVF fails.
- You see an error similar to:
The import of library item 26b6519f-aa70-4fd8-94ad-6e9fbb152522 has failed. Reason: Attempt to use RSA key with non-approved size: 512: RSA.
Environment
VMware vSphere 7.0.x
Cause
This issue occurs due to a new security restrictions from FIPS policy.
Resolution
This is an expected behavior starting in vSphere 7.0 Update 2 when deployed with FIPS mode.
Note: This is not a bug as this is a new requirement in FIPS mode.
Workaround:
To work around this issue, re-sign the OVF template using a 1024 signing key.
Note: This is not a bug as this is a new requirement in FIPS mode.
Workaround:
To work around this issue, re-sign the OVF template using a 1024 signing key.
Feedback
Yes
No
Powered by
