8 Replies Latest reply on Jul 30, 2018 11:20 PM by jawei

    Could not read the OVF package certificate

    jawei Lurker

      I have successfully signed the OVF package with ovftool 4.2. The certificate was signed by a Root CA.

       

      Now the problem is that vSphere Web Client runs into the following error during Deploy OVF Template.

       

      Any help is greatly appreciated.

       

      Screen Shot 2018-07-27 at 11.45.36 PM.png

        • 1. Re: Could not read the OVF package certificate
          SupreetK Master
          vExpert

          Can you check and share the below details?

           

          1) What is that you are trying to deploy?

          2) What is the version of the ESXi host? If it is above 6.5 U1, try to deploy the OVF using the host client. If it is below 6.5 U1, try using the good old fat client.

          3) If nothing works, you can use the OVF tool to deploy it from the command line. Detailed steps listed in the below blog -

           

          https://cstan.io/?p=8972&lang=en

           

          Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

           

          Cheers,

          Supreet

          • 2. Re: Could not read the OVF package certificate
            jawei Lurker

            1) I try to deploy a signed OVF that is created with ovftool on Ubuntu as follows:

             

            administrator@csm-sj-alpha:~/ova/ubuntu/tmp$ ovftool --privateKey=csm-sj-alpha.cisco.com-26121.pem Ubuntu1642_CSM351.ovf signed-csm351.ovf

            Opening OVF source: Ubuntu1642_CSM351.ovf

            The manifest validates

            Opening OVF target: signed-csm351.ovf

            Writing OVF package: signed-csm351.ovf

            Transfer Completed                   

            Completed successfully

            administrator@csm-sj-alpha:~/ova/ubuntu/tmp$ ls -tl

            total 7098420

            -rw-r--r-- 1 administrator administrator       3429 Jul 28 16:59 signed-csm351.cert

            -rw-r--r-- 1 administrator administrator        191 Jul 28 16:59 signed-csm351.mf

            -rw-r--r-- 1 administrator administrator 3634351104 Jul 28 16:59 signed-csm351-disk1.vmdk

            -rw-r--r-- 1 administrator administrator       9363 Jul 28 16:59 signed-csm351.ovf

             

            where csm-sj-alpha.cisco.com-26121.pem is a concatenation of private key, Certificate, Issing CA and Root CA.

             

            2) Both ESXi and vCenter Server Appliance/vSphere Web Client are 5.5

             

            Screen Shot 2018-07-28 at 8.25.19 PM.png

             

            3) There is no error to deploy the signed OVF without vSphere Web Client. Only with vSphere Web Client the error occurs.

            Is there any installation / configuration of the certificate on vCenter Server Appliance or vSphere Web Client?

             

            If needed I can send you the pem file that is used to sign the OVF by ovftool in a private email.

             

            I really appreciate it!

            • 3. Re: Could not read the OVF package certificate
              SupreetK Master
              vExpert

              Ahh Okay! There were a few similar issues reported with an Avaya appliance that was supposedly fixed in version 6.5. You may want to upgrade to 6.5 and give it a shot. However since it is working with the thick client, I don't think this is a show stopper

               

              Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

               

              Cheers,

              Supreet

              • 5. Re: Could not read the OVF package certificate
                msripada Expert
                vExpert

                where csm-sj-alpha.cisco.com-26121.pem is a concatenation of private key, Certificate, Issing CA and Root CA.

                 

                Pem files should not have the private key.......

                It should be certificate, issuing CA and root CA only

                 

                Thanks,

                MS

                • 6. Re: Could not read the OVF package certificate
                  jawei Lurker

                  Hi Supreet,

                   

                  Yes, I was able to deploy the signed ovf with vSphere Web Client version 6.5. The same signed ovf doesn't work with version 5.5.

                   

                  Screen Shot 2018-07-30 at 10.43.35 PM.png

                  I really appreciate your help!

                   

                  -James

                  • 7. Re: Could not read the OVF package certificate
                    jawei Lurker

                    Hi Diego,

                     

                    Thank you for sharing the link! It does help to solve the problem.

                     

                    There were two issues: (1) the signed ovf is not recognized by version 5.5 (2) the signed ova deployment in version 6.5 had an error.

                     

                    Following the reply by Adolph1991,  I was able to deploy the VM by selecting 3 files (.mf/.ovf/.vmdk), while the ovf is signed.

                     

                    Best,

                     

                    -James

                    • 8. Re: Could not read the OVF package certificate
                      jawei Lurker

                      Hi MS,

                       

                      Thank you for replying!

                       

                      Normally the pem file does not include the private key. In the case as an input to ovftool, a pem with private key was required.

                       

                      Best,

                       

                      -James