Deploying OVA shows "Invalid Certificate" on vCenter 7.0U2, but shows "Trusted certificate" in older versions
search cancel

Deploying OVA shows "Invalid Certificate" on vCenter 7.0U2, but shows "Trusted certificate" in older versions

book

Article ID: 336085

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This document provides steps to make an OVA/OVF package trusted in vCenter Server versions 7.0U2 and above

Symptoms:
  • When importing an OVA/OVFs into vCenter 7.0U2 or higher version, the "Deploy OVF Template" wizard shows the publisher certificate as "invalid" or "not trusted". The same package when imported on an older version of vCenter Server shows "Trusted"
  • In the review details screen while deploying OVF/OVA template, you see error similar to:
Error: "The Certificate is not trusted".
  • In cls.log, you see entries similar to:
CertPathBuilderException while validating certificate chain
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.


Environment

VMware vCenter Server 7.0.x

Cause

Prior to vCenter 7.0 U2, there was minimal certificate verification done on OVA/OVF packages.
Starting 7.0 U2, the OVF signing certificates are verified for their expiry, validity and checked if the signing certificate is trusted. This means that the entire chain of the signing certificate should be trusted against the VECS store.

Resolution

To avoid this warning, add the signing certificate to VECS store by following these steps.

1. Get the OVF/OVA signing certificate's chain ( root CA and intermediate certificates, if any ). You can use any certificate chain resolver to find the missing certificates from the chain.
2. Add the intermediate and root certificates to VECS store.
    a. login to vCenter as administrator
    b. From drop down menu select administration -> Certificates -> Certificate Management
    c. Click "ADD" next to Trusted Roots Certificates
    d. Browse and select the certificate(s) found in step 1.

To ignore the warning, click "Ignore" next to warning "The certificate is not trusted"