This document provides steps to make an OVA/OVF package trusted in vCenter Server versions 7.0U2 and above

Symptoms:

• When importing an OVA/OVFs into vCenter 7.0U2 or higher version, the "Deploy OVF Template" wizard shows the publisher certificate as "invalid" or "not trusted". The same package when imported on an older version of vCenter Server shows "Trusted"
• In the review details screen while deploying OVF/OVA template, you see error similar to:

• In cls.log, you see entries similar to:

VMware vCenter Server 7.0.x

Prior to vCenter 7.0 U2, there was minimal certificate verification done on OVA/OVF packages.
Starting 7.0 U2, the OVF signing certificates are verified for their expiry, validity and checked if the signing certificate is trusted. This means that the entire chain of the signing certificate should be trusted against the VECS store.

To avoid this warning, add the signing certificate to VECS store by following these steps.

1. Get the OVF/OVA signing certificate's chain ( root CA and intermediate certificates, if any ). You can use any certificate chain resolver to find the missing certificates from the chain.
2. Add the intermediate and root certificates to VECS store.
    a. login to vCenter as administrator
    b. From drop down menu select administration -> Certificates -> Certificate Management
    c. Click "ADD" next to Trusted Roots Certificates
    d. Browse and select the certificate(s) found in step 1.

To ignore the warning, click "Ignore" next to warning "The certificate is not trusted"

For NSX deployment failures with this error see, "The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment.