NSX OVF Certificate Expiry Issue – January 3, 2026

(Example OVF deployment warning due to expired signing certificate)

On January 3, 2026, an issue was identified in NSX appliance OVF templates related to the signing certificate used during deployment of NSX Manager and Edge appliances. The certificate that signs these OVF packages expired on that date, meaning the OVF signature can no longer be validated during deployment workflows.

What Happens?

When deploying or redeploying NSX Manager or Edge appliances (including resizing, restore-from-backup, scale-out, or greenfield deployments), deployment operations may fail with certificate validation errors. This includes errors such as:

  • “The OVF package contains advanced configuration options… The Certificate is Expired”

  • OVF validation errors in UI, vSphere Client, or via scripting tools
    These errors occur because the OVF manifest signature validation fails due to the expired signing certificate.

What Is Not Affected?

  • Existing, running NSX Manager or Edge components continue to operate normally.

  • Day-to-day management plane functions and data-plane traffic flows are not impacted.

  • Regular NSX upgrades (via NSX UI / SDDC Manager) are not affected by this certificate expiry.

Recommended Workarounds

Broadcom has provided workarounds to bypass the OVF signature validation during deployments:

  1. vSphere Client:
    When prompted about the expired certificate during OVF deployment, choose “Ignore” or accept the signature warning to proceed.

  2. ovftool deployments:
    Use the --disableVerification flag with ovftool to skip certificate validation.

  3. NSX UI deployments:
    For CI/CD or NSX UI initiated deployments, Broadcom KB article ID 424035 provides steps (including scripts) to disable the OVF validation check on NSX Managers; this allows deployments to proceed when the expired certificate would otherwise block them.

Permanent Fix

A permanent resolution will come via updated appliance templates signed with a new long-term certificate as part of future NSX maintenance releases. In the meantime, applying the above workarounds proactively can prevent deployment failures during scale-out or recovery activities.

Reference Links from Broadcom Knowledge Base


Comments

Post a Comment

Popular posts from this blog

My Journey to Becoming a VMware vExpert: Persistence, Passion & People

Image
  I’m thrilled to share that I’ve been recognized as a VMware vExpert in 2025 —a milestone that means a lot to me both personally and professionally. But this wasn’t an overnight success. In fact, it took a few tries, a lot of reflection, and a solid support system to get here. If you're someone working toward this goal, I hope my journey helps you stay motivated. 🚧 The Early Attempts Like many, I applied to the vExpert program a few times in the past—each time with hope, and each time facing the sting of not making the cut. It was disheartening, but also humbling. I realized that passion alone isn’t enough —you need strategy, mentorship, and impact-driven contributions. 🔁 What I Did Differently This Time This year, I changed my approach: Mentorship was key. I reached out to two incredibly generous vExpert Pros & old friends, Arun Nukula and Ravneet Arora , who not only agreed to mentor me but also set up standing meetings to check in on my progress. Their feedba...
Read more

Understanding and Customizing ESXi Password Requirements

VMware ESXi enforces strict password policies for access via the Direct Console User Interface (DCUI) , ESXi Shell , SSH , and the VMware Host Client . These rules are designed to improve security by requiring strong, complex passwords. Default ESXi Password Requirements: Character Classes : Passwords must include at least three of the following four character classes: Lowercase letters Uppercase letters Numbers Special characters (e.g., underscore or dash) Password Length : Must be at least seven characters long and no more than 40 characters . Restrictions : Passwords cannot contain dictionary words or parts of them. Passwords cannot include the username or parts of the username. Customizing ESXi Password Restrictions: You can modify the password rules if the default password policy doesn't meet your organisation's needs. VMware allows you to configure custom password policies to match specific s...
Read more

Understanding the New Broadcom VCF Download Token Process

Broadcom has recently updated the VMware Cloud Foundation (VCF) product download process, introducing a token-based authentication system. This change enhances security and ensures only authorized users can access VCF software downloads. Support Portal 🔄 What's Changing? Previously, VCF product downloads were accessible through public URLs. Now, each customer must use a unique, authenticated download token to access their entitled software. This shift means that download URLs are no longer shared but are specific to each customer's entitlements. Support Portal Support Portal Support Portal+3Support Portal+3Support Portal+3 🛠️ How It Works Generate a Download Token: Log in to the Broadcom Support Portal . Navigate to the "My Dashboard" section. Under "Quick Links," select "Generate Download Token." Choose the appropriate Site ID and click "Generate." Support Porta...
Read more