While browsing the VMTN forums the other day, I just learned that you can sign your own OVF files using VMware's ovftool. To sign your OVF files, you will need the .ovf, .vmdk files and an X.509 certificate. Though not mandatory, you should also have a manifest file that includes a hash of the files to be signed. ovftool will still allow you to sign the OVF files, but a warning will be thrown if the manifest file is not included.
If you export a virtual machine/vApp using the vSphere Client or the ovftool, the manifest file is automatically generated for you and it ends with .mf extension.
If you have some OVF files that you want to sign but do not have the manifest file or somehow lost it, it is actually quite easy to re-create using the openssl utility.
To create the manifest file, run the following command for all files to be signed:
openssl sha1 *.vmdk *.ovf > MyVM.mf
You can use cat utility to view the contents of the manifest file:
To sign your OVF files, run the following command which will include the path to your X.509 certificate and the new signed OVF name:
ovftool --privateKey=ghetto.pem MyVM.ovf MyVM-Signed.ovf
Note: There is no space between --privateKey= and the path to X.509 certifcate, else you may get an odd error message.
If the signing was successful, you should not see any errors:
To view the newly signed OVF files, you can run the following command:
ovftool MyVM-Signed.ovf
You will find that the OVF has been signed under the "Manifest Info" section:
Now when you import the OVF back into your environment using either the vSphere Client or ovftool, you should now see the certificate information:
For more details and examples of using the ovftool, take a look at the user guide here.
alexis says
Could you give detail how you created cert "ghetto.pem" Did you just used cmd: "openssl req -x509 -nodes -sha1 -days 365 -newkey rsa:1024 -keyout ghetto.pem -out ghetto.pem"
Mohammed Salman says
Ovftool does not add an manifest info to the signed ovf file in my case. Also, I do not get an error during the signing process.
What do you think could be wrong?