Importing the OVF package fails with the error: Server not trusted: certificate

search cancel

Importing the OVF package fails with the error: Server not trusted: certificate_unknown(46).

book

Article ID: 400932

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

Importing the OVF package fails with the error:

 Server not trusted: certificate_unknown(46)

In vCenter server you will see entries similar to the following in log file /var/log/vmware/content-library/cls.log

| ERROR    | null  | transferService-http-582f1298df53e6e6892877b49f944dce-xxxx-va-support.vmdk-upload | HttpClientEndpointImpl | Transfer session 582f1298df53e6e6892877b49f944dce: Server not trusted: certificate_unknown(46) org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Caused by: java.security.cert.CertPathValidatorException: Certificate doesn't support 'digitalSignature' KeyUsage

Environment

VMware vSphere ESXi 6.x / 7.x / 8.x

VMware vCenter Server 6.x / 7.x / 8.x

Cause

The error occurs because the ESXi host certificate is missing digitalSignature usage in KeyUsage field. This prevents proper validation during SSL/TLS handshakes required for OVF import operations.

Resolution

Regenerate CSR for the ESXi host and ensure that the KeyUsage field includes the following:

digitalSignature
keyEncipherment

Refer: Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Certificates)

Additional Information

Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment

Unable to deploy OVF using vSphere Client when a HTTPS Proxy is configured

Feedback

thumb_up Yes

thumb_down No