Adding an LDAPS identity source fails with the error: invalid DER-encoded certificate data
search cancel

Adding an LDAPS identity source fails with the error: invalid DER-encoded certificate data


Article ID: 305678


Updated On:


VMware vCenter Server


  • Cannot add a ldaps:// identity source
  • Adding a ldaps:// identity source fails after you select a certificate file using the Choose Certificate option
  • The Add certificate operation fails for the entity
  • You see the error:

    invalid DER-encoded certificate data

  • In the vcregtool.log file, you see entries similar to:

    main ERROR com.vmware.vim.dataservices.vcregtool.RegisterVC] Cannot load VC certificate invalid DER-encoded certificate data
    at com.vmware.vim.dataservices.vcregtool.RegisterVC.loadVcCertificate(
    at com.vmware.vim.dataservices.vcregtool.RegisterVC.loadVcProviderInfo(
    at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(
    at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(
    at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(


VMware vCenter Server 5.1.x


vCenter Single Sign On expects the certificate to be in Base64 encoded DER format only. This issue may occur if there is any other data, such as the printed DER certificate information, before the -----BEGIN CERTIFICATE----- line (that marks the beginning of the Base64 encoded section) in the certificate file. This can happen during the certificate generation depending on how it was done.


To resolve this issue:

  1. Open the certificate file and remove any content before the -----BEGIN CERTIFICATE----- line.
  2. Save and close the certificate file.
  3. Retry adding a ldaps:// identity source.

Additional Information

For more information, see:
Generating Domain Root CA signed certificates for vCenter Server
Generating custom or default SSL certificates
Configuring a vCenter Single Sign-On 5.1 Identity Source using LDAP with SSL (LDAPS)