"The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment
search cancel

"The OVF package contains advanced configuration options, which might pose a security risk" with "The Certificate is Expired" error for NSX Edge or Manager OVF deployment

book

Article ID: 424036

calendar_today

Updated On:

Products

VMware NSX VMware vCenter Server

Issue/Introduction

  • On the vSphere Client, Deploy OVF Template for an NSX Edge, autonomous Edge or NSX Manager fails with:
    • The OVF package contains advanced configuration options, which might pose a security risk. Review the advanced configuration options below. Click next to accept the advanced configuration options.
  • An additional error is also see on the vSphere Client:
    • On vSphere 8 and 9:  "The Certificate is Expired"
    • On vSphere 7: "The Certificate is not trusted"

  • The Publisher field shows "VMware, Inc. (Invalid certificate)"
  • This issue may be encountered for scenarios that involve an NSX appliance OVF deployment e.g. NSX restore, appliance resizing etc.

Environment

  • VMware NSX Edge 3.x, 4.x, 9.0.0, 9.0.1
  • VMware NSX Manager 3.x, 4.0.x

Cause

The Signing Certificate used for signing the Edge/Manager OVF during the build process expired on January 3, 2026. As a result the new Edge or Manager install using VC Deployment/OVF Tool will fail.

Resolution

  • For NSX Edge deployments, NSX versions 3.x, 4.x, 9.0.0, 9.0.1 are impacted.
    It is resolved in NSX 4.2.3.3 available at Broadcom NSX downloads and VCF 9.0.2 available at Broadcom VCF downloads.
  • For NSX Manager deployments, NSX versions 3.x and 4.0.x are impacted. It has been resolved from version NSX 4.1.0.

vSphere Client deployments
To workaround this issue on the vSphere Client, click "Ignore" to acknowledge the warning.
Deploy OVF wizard will continue and the NSX appliance deployment using vCenter UI will complete successfully.

ovftool deployments
If ovftool is used for deployment, an additional flag can be passed to bypass the certificate validation. 
ovftool option "--disableVerification" needs to be used while deploying the appliance to skip certificate validation

Sample command:

ovftool --acceptAllEulas --disableVerification --allowExtraConfig --allowAllExtraConfig --deploymentOption=small --noSSLVerify --name=auto-edge1 --datastore=Datastore1 --diskMode=thin --net:Network0=VMNetwork --net:Network1=NoUplinkPG1 --net:Network2=NoUplinkPG2 --net:Network3=NoUplinkPG3 --net:Network4=NoUplinkPG4 --prop:nsx_isSSHEnabled=True --prop:nsx_allowSSHRootLogin=True --prop:nsx_hostname=auto-edge1 --prop:nsx_cli_passwd_0=<Password>  --prop:nsx_passwd_0=<Password>--prop:is_autonomous_edge=True --powerOn http://<link to OVF URL>/nsx-<Version>.ovf

Powered by Wolken Software