I was working on VirtualBox VMs to publish as virtual appliances (.OVA files). When I was testing the import into VirtualBox, I found that there was a warning message that the appliance is not signed:
I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a time server to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading.
I would still like to know how you are supposed to do it properly according to Oracle. Surely Oracle is not using VMWare's software to sign their Virtual Appliances.
This is my journey under Windows 10. At the end, I have publishable appliance.
- You need a virtual appliance (*.ova)
- You need a signing certificate.
- You need to have OpenSSL installed.
- You need the program ovftool.exe from VMWare
To get the .ova file, you need to export one of your VMs as a virtual appliance:
Open the export virtual appliance dialog:
File->Export Appliance [Alternatively <CTRL>E]
Choose the virtual machine to export. Fill in whatever Virtual system settings apply (in my case, just the name)
For appliance settings, set the Format to Open Virtualization Format 1.0
The 'Write Manifest file' checkbox should be checked.
Click on the <Export> button to write file.
The signing certificate should have been installed in the certificate store. How this is done depends on your certificate provider.
To get the signing certificate in a usable form, you have to jump through a few hoops to get a .pem file.
Open the Certificate Manager:
Open Personal->Certificates and right-click on your signing certificate
Open the All tasks menu and choose Export
This should open the Certificate Export Wizard
Choose Yes, export the private key
Choose Personal Information Exchange - PKCS (.PFX)
Check include all certificates in the certification path
Check Export all extended properties
Check Enable certificate privacy
Check the Password checkbox and enter and confirm a password [using "IMPPass" in this example]
Change the Encryption dropdown to AES256-SHA256
Assign the filename and path for the exported certificate. In this example I called it 'MyCert'. Note that you don't put the file extension on the name here. It is added by the Certificate Export Wizard. You should save it on the path where your OVA file was saved.
Review settings and Click <Finish>
It should pop up a message box saying the export was successful. Dismiss that.
The next steps are done on the console, so open a console window. Change to the directory where you have saved your OVA and PFX files.
You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:
openssl pkcs12 -in MyCert.pfx -out MyCert.pem
Respond to the prompts for Import Password and PEM pass phrase
Enter Import Password: IMPPass
Enter PEM pass phrase: PEMPass
Verifying - Enter PEM pass phrase: PEMPass
Finally, you can sign the exported OVA with ovftool with a command like this:
ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova
Opening OVA source: DamnSmall.ova
Opening OVA target: DSL.ova
Writing OVA package: DSL.ova
The manifest validates
Enter passphrase for MyCert.pem: PEMPass
- No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.Completed successfully