VMware vCenter Server Appliance: Sequence Wrong Size for a Certificate when replacing SSL Certificates


Just a quick one today. I was replacing a certificate for a customer’s VCSA today with one from their internal CA when I hit the error “Sequence Wrong Size for a Certificate”. To clarify, I had generated a CSR from the VCSA, requested the certificate from the CA, downloaded this and the certificate chain as base64, then tried to complete the import.

When Active Directory Certificate Services generates the certificate chain, it creates a .p7b file, and whilst vCenter will attempt to process this file, it can contain extra information, even when the certificate chain is a single certificate (the certificate authority). This is because the certificate chain will include the newly requested certificate in addition to the actual intermediate/root CAs.

This isn’t clear when you review the file within a text editor as you only see a single —–BEGIN CERTIFICATE —– and —–END CERTIFICATE—–, instead of each certificate being separated by these markers.

To get around this, either download the .p7b (certificate chain) and then save the certificates out manually and import them as such within vCenter, or just choose “Download certificate” (as Base64 encoded) and then save a copy of the CA from your existing “Trusted Root Certificate Authorities” repository, also as Base64 encoded.

Hope this helps!

4 responses to “VMware vCenter Server Appliance: Sequence Wrong Size for a Certificate when replacing SSL Certificates”

  1. Hi,
    I have saved the certificates manually from the chain, but how can we import them to vCenter as it is not allowing to select multiple files at “chain of trusted root certificates”.


    1. Hi! You need to create one file that is the entire chain. So you’d have a sequence of —-BEGIN—- and Ends for each cert in the chain.

      Make a new file, copy each public key in including the header/footer with a single carriage return between them


  2. Hi Micoolpaul,
    Ive been having this issue on my lab. I have a Windows CA but I do not have an Intermediate root CA. When you mean to add the entire chain I kind of do not understand. I just have my CA and from there I create certs for my webapps. I am sort of a noob to certificates (thats the reason why I set up this Windows CA in my lab so I can learn it), If you could help me I would greatly appreciate it.


    1. Hi Guichy,

      Your chain would be your certificate you’ve generated, and the root CA certificate in this case 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: