Oct 272017

I went to re-deploy some vDP appliances today and noticed a newer version was made available a few months ago (vSphere Data Protection 6.1.5). After downloading the vSphereDataProtection-6.1.5.ova file, I went to deploy it to my vSphere cluster and it failed due to an invalid certificate and a message reading “The OVF package is signed with an invalid certificate”.

I went ahead and downloaded the certificate to see what was wrong with it. While the publisher was valid, the certificate was only valid from September 5th, 2016 to September 7th, 2017, and today was October 27th, 2017. It looks like the guys at VMware should have generated a new cert before releasing it.



To resolve this, you need to repackage the OVA file and skip the certificate using the VMware Open Virtualization Format Tool (ovftool) available at https://code.vmware.com/tool/ovf/4.1.0

Once you download and install this, the executable can be found in your Program Files\VMware\VMware OVF Tool folder.

Open a command prompt and change to the above directory and run the following:

ovftool.exe –skipManifestCheck c:\folder\vSphereDataProtection-6.1.5.ova c:\folder\vdpgood.ova

This command will repackage and remove the certificate from the OVA and save it as the new file named vdpgood.ova above. Afterwards deploy it to your vSphere environment and all should be working!


  8 Responses to “Invalid certificate when deploying vSphere Data Protection 6.1.5 ova file”

  1. Worked great, thanks for the tip!

  2. I wrote too soon. The ovftool.exe example creates a nice VDP ova without the manifest. But, when I try to Deploy OVF Template with vCenter 6.5, I get an error message “Unable to retrieve manifest or certificate.” Do you know of a work-around so vCenter will deploy without a manifest in the vdpgood.ova file?

  3. Hi Kevin,

    Did you use the command exactly as I wrote it in the blog post? It’s not skipping the manifest, but it’s skipping the manifest check.

    ovftool.exe –skipManifestCheck in.ova out.ova


  4. Stephen, thanks for taking the time to respond. Yes, I typed the command exactly. I think the error message from vCenter 6.5 comes because the certificate is no longer in the OVA. Looking inside the new OVA file, I see the manifest is still contained with the SHA1 hashes.

  5. Hi Kevin,

    Are you running the latest version of vSphere (and ESXi)? I remember there being a bug inside of the flash UI on vCenter. I’m wondering if this is causing your issue?

    Seriously, that command should fix the deployment. I’ve used this in 2 instances without issues. But with that being said, I did have OVA deployment issues (unrelated to the vDP ova file), due to the vSphere version I was running. I can’t remember, but I think I had to only update to the latest version (I was only one set of updates behind).


  6. Hi Kevin,

    One other thing too: I’m not sure if you doing this from an SMB network share, but download the file OVF directly to your computer, run the ovftool command (with the skip manifest check) on your system with the output file set on your computer as well (local storage).

    I recall a few times with earlier vDP versions, where that error may have popped up if I was trying to deploy an OVA or OVF from a network share (even though I was uploading it via the web interface from my computer), instead of the local system.


  7. Very thanks! I resolved this issue with your method!

  8. great write-up, it saved me time. Thanks!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>