Bug ID 1057709: Invalid Certificate for all BIG-IP VE OVA images on vCenter 7.0U2.

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Oct 27, 2021
Severity: 3-Major

Symptoms

When deploying all BIG-IP VE OVA/OVF images, vCenter 7.0U2 will display an invalid certificate (not trusted) warning message. This is due to enhanced signing certificate verifications for expiry, and other validity checks for the entire chain of the signing certificate against the VECS store (known vCenter issue https://kb.vmware.com/s/article/84240).

Impact

You can ignore the message and continue with the deployment, or add the missing signing certificate(s) to the VECS store.

Conditions

Login to vCenter 7.0U2, deploy a BIG-IP VE using an OVF template, select the Local File option, upload the OVA template from your local directory, and then follow the prompts to complete the deployment. In the review details section, "The certificate is not trusted" warning message appears.

Workaround

To avoid this warning, do the following to add the signing certificate to the VECS store: 1. Get the OVF/OVA signing certificate's chain (root CA and intermediate certificates, if any). You can use any certificate chain resolver to find the missing certificates from the chain. 2. To add the intermediate and root certificates to VECS store: a. login to vCenter as administrator. b. From drop-down menu select administration -> Certificates -> Certificate Management. c. Click ADD next to Trusted Roots Certificates. d. Browse and select the certificate(s) found in step 1.

Fix Information

None

Behavior Change