Just a quick one today. I was replacing a certificate for a customer’s VCSA today with one from their internal CA when I hit the error “Sequence Wrong Size for a Certificate”. To clarify, I had generated a CSR from the VCSA, requested the certificate from the CA, downloaded this and the certificate chain as base64, then tried to complete the import.
When Active Directory Certificate Services generates the certificate chain, it creates a .p7b file, and whilst vCenter will attempt to process this file, it can contain extra information, even when the certificate chain is a single certificate (the certificate authority). This is because the certificate chain will include the newly requested certificate in addition to the actual intermediate/root CAs.
This isn’t clear when you review the file within a text editor as you only see a single —–BEGIN CERTIFICATE —– and —–END CERTIFICATE—–, instead of each certificate being separated by these markers.
To get around this, either download the .p7b (certificate chain) and then save the certificates out manually and import them as such within vCenter, or just choose “Download certificate” (as Base64 encoded) and then save a copy of the CA from your existing “Trusted Root Certificate Authorities” repository, also as Base64 encoded.
Hope this helps!
Leave a Reply