1. 1. Does OVFTOOL support RSA 2K encrypted signatures?
2. 2. Is it possible to make the ovftool signing a two pass operation?

a>  Pass 1: Complete everything up to computing hash, and give the hash output

b>  Pass 2: We provide the signature and public key as X509 certs, and ovftool generate the final image

1. 3. If ovftool cannot be run in two passes as explained above, what options you would suggest to integrate with an external crypto engine running on a different secure server.