VMware vCenter Server Appliance: Sequence Wrong Size for a Certificate when replacing SSL Certificates


Just a quick one today. I was replacing a certificate for a customer’s VCSA today with one from their internal CA when I hit the error “Sequence Wrong Size for a Certificate”. To clarify, I had generated a CSR from the VCSA, requested the certificate from the CA, downloaded this and the certificate chain as base64, then tried to complete the import.

When Active Directory Certificate Services generates the certificate chain, it creates a .p7b file, and whilst vCenter will attempt to process this file, it can contain extra information, even when the certificate chain is a single certificate (the certificate authority). This is because the certificate chain will include the newly requested certificate in addition to the actual intermediate/root CAs.

This isn’t clear when you review the file within a text editor as you only see a single —–BEGIN CERTIFICATE —– and —–END CERTIFICATE—–, instead of each certificate being separated by these markers.

To get around this, either download the .p7b (certificate chain) and then save the certificates out manually and import them as such within vCenter, or just choose “Download certificate” (as Base64 encoded) and then save a copy of the CA from your existing “Trusted Root Certificate Authorities” repository, also as Base64 encoded.

Hope this helps!

By micoolpaul

Technical Consultant at Nexus Open Systems. Focusing on Veeam, VMware & Microsoft Productivity and Infrastructure stacks.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s