WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / How to Create Manifest File for OVF Signing

How to Create Manifest File for OVF Signing

01.25.2012 by William Lam // 4 Comments

While browsing the VMTN forums the other day, I just learned that you can sign your own OVF files using VMware's ovftool. To sign your OVF files, you will need the .ovf, .vmdk files and an X.509 certificate. Though not mandatory, you should also have a manifest file that includes a hash of the files to be signed. ovftool will still allow you to sign the OVF files, but a warning will be thrown if the manifest file is not included.

If you export a virtual machine/vApp using the vSphere Client or the ovftool, the manifest file is automatically generated for you and it ends with .mf extension.

If you have some OVF files that you want to sign but do not have the manifest file or somehow lost it, it is actually quite easy to re-create using the openssl utility.

To create the manifest file, run the following command for all files to be signed:

openssl sha1 *.vmdk *.ovf > MyVM.mf

You can use cat utility to view the contents of the manifest file:

To sign your OVF files, run the following command which will include the path to your X.509 certificate and the new signed OVF name:

ovftool --privateKey=ghetto.pem MyVM.ovf MyVM-Signed.ovf

Note: There is no space between --privateKey= and the path to X.509 certifcate, else you may get an odd error message.

If the signing was successful, you should not see any errors:

To view the newly signed OVF files, you can run the following command:

ovftool MyVM-Signed.ovf

You will find that the OVF has been signed under the "Manifest Info" section:

Now when you import the OVF back into your environment using either the vSphere Client or ovftool, you should now see the certificate information:

For more details and examples of using the ovftool, take a look at the user guide here.

More from my site

  • Quick Tip - How to deploy vCenter Server Appliance (VCSA) to legacy CPU without VMX Unrestricted Guest feature?
  • Quick Tip - Easily move or copy VMs between two Free ESXi hosts?
  • Quick Tip - Encoding special characters for OVFTool on the command-line
  • Quick Tip - How to deploy OVF/OVA to multiple networks using OVFTool?
  • OVFTool 4.4.1 - Upload OVF/OVA from URL using upcoming "pull" mechanism

Categories // Automation, OVFTool Tags // manifest file, ovftool

Comments

  1. *protectedalexis says

    11/28/2016 at 3:34 am

    Could you give detail how you created cert "ghetto.pem" Did you just used cmd: "openssl req -x509 -nodes -sha1 -days 365 -newkey rsa:1024 -keyout ghetto.pem -out ghetto.pem"

    Reply
  2. *protectedMohammed Salman says

    07/20/2017 at 3:57 pm

    Ovftool does not add an manifest info to the signed ovf file in my case. Also, I do not get an error during the signing process.
    What do you think could be wrong?

    Reply

Trackbacks

  1. Creating an OVA | pmsApp says:
    10/17/2015 at 11:40 am

    […] vmware's ovftool, but it wants a .mf file to ensure that the files are not corrupted. I found this article, explaining how to create the .mf […]

    Reply
  2. VMWARE VCENTER6.5将虚拟机导出到OVF无法导出清单文件(.mf)报错1009的解决办法 | 秩序博客 says:
    04/25/2020 at 6:05 am

    […] 要临时解决这个问题,可以参考这个链接:https://www.williamlam.com/2012/01/how-to-create-manifest-file-for-ovf.html […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025