When attempting to apply a new custom machine SSL certificate to a vCenter Server using the vSphere Client, the process fails with an error message stating:

Error occurred while fetching tls: create trusted root chain failed : Certificate bearing subject <certificate details> is not a valid CA certificate.  Please retry with a valid certificate chain.

• vCenter Server 7.x
• vCenter Server 8.x

When applying the new custom machine SSL certificate in addition to the intermediate and root certificate chain using the vSphere Client, the certificate hashes can be cut and pasted into the certificate window instead of using the "Browse File" button.  If the cut and pasted hashes are missing any characters, include any additional characters, or even include extra "space" characters, the certificate chain will be seen as invalid.

Verify the certificate hashes being cut and pasted into the "Machine SSL Certificate" and "Chain of trusted root certificates" windows are not missing any characters, or include any additional characters at the certificate header and footer.

In addition, ensure there are no extra "space" characters in the certificate header and footer.

Examples:

" -----BEGIN CERTIFICATE-----"
"-----BEGIN CERTIFICATE----- "
" -----BEGIN CERTIFICATE----- "