"The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment
search cancel

"The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment

book

Article ID: 424036

calendar_today

Updated On:

Products

VMware NSX VMware vCenter Server

Issue/Introduction

  • On the vSphere Client, Deploy OVF Template for an NSX Edge, autonomous Edge or NSX Manager fails with

    The OVF package contains advanced configuration options, which might pose a security risk. Review the advanced configuration options below. Click next to accept the advanced configuration options.
  • An additional error is also see on the vSphere Client

    On vSphere 8 and 9:  "The Certificate is Expired"
    On vSphere 7: "The Certificate is not trusted"

  • This issue may be encountered for scenarios that involve an NSX appliance OVF deployment e.g. NSX restore, appliance resizing etc.

Environment

VMware NSX Edge 3.x, 4.x, 9.x
VMware NSX Manager 3.x, 4.0.x
VMware vCenter 7.x, 8.x, 9.x

Cause

The Signing Certificate used for signing the Edge/Manager OVF during the build process expired on January 3, 2026. As a result the new Edge or Manager install using VC Deployment/OVF Tool will fail.

Resolution

This is a known issue impacting VMware NSX.

For NSX Edge, all NSX versions are impacted.
For NSX Manager, NSX versions 3.x and 4.0.x are impacted.

vSphere Client deployments
To workaround this issue on the vSphere Client, click "Ignore" to acknowledge the warning.
Deploy OVF wizard will continue and the NSX appliance deployment using vCenter UI will complete successfully.


ovftool deployments
If ovftool is used for deployment, an additional flag can be passed to bypass the certificate validation. 
ovftool option "--disableVerification" needs to be used while deploying the appliance to skip certificate validation

Sample command:

ovftool --acceptAllEulas --disableVerification --allowExtraConfig --allowAllExtraConfig --deploymentOption=small --noSSLVerify --name=auto-edge1 --datastore=Datastore1 --diskMode=thin --net:Network0=VMNetwork --net:Network1=NoUplinkPG1 --net:Network2=NoUplinkPG2 --net:Network3=NoUplinkPG3 --net:Network4=NoUplinkPG4 --prop:nsx_isSSHEnabled=True --prop:nsx_allowSSHRootLogin=True --prop:nsx_hostname=auto-edge1 --prop:nsx_cli_passwd_0=<Password>  --prop:nsx_passwd_0=<Password>--prop:is_autonomous_edge=True --powerOn http://<link to OVF URL>/nsx-<Version>.ovf

Powered by Wolken Software