Error "Invalid certificate format" during LDAPS certificate bundle upload
search cancel

Error "Invalid certificate format" during LDAPS certificate bundle upload

book

Article ID: 431484

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to configure an Active Directory over LDAP (LDAPS) identity source in VMware vCenter Server, the configuration fails during the certificate upload process.

Symptoms:

  • Error messages such as "Invalid certificate format" or "Failed to parse certificate" appear when clicking Add.
  • The vCenter Server is unable to establish a secure connection to the Domain Controller.
  • Log entries in /var/log/vmware/sso/ssoAdminServer.log may show IllegalStateException or CertificateException related to file parsing.

Environment

VMware vCenter Server: 7.x, 8.x,

Cause

The vCenter Single Sign-On (SSO) configuration wizard requires individual Base64-encoded X.509 certificates (usually with .cer, .crt, or .pem extensions). The wizard does not support uploading compressed archive formats such as .zip or .7z. When a ZIP file is uploaded, the SSO service cannot extract the underlying PEM-encoded text required to build the trust chain.

Resolution

To resolve this issue, you must extract the certificates from the archive and upload them individually.

  1. Extract the Certificate Bundle:
    1. On your local workstation, unzip the file containing the Domain Controller/CA certificates.
    2. Ensure you have the Root CA certificate and any Intermediate CA certificates as separate files.
  2. Access SSO Configuration in vCenter:
    1. Log in to the vSphere Client as [email protected] (or a user with SSO administrative privileges).
    2. Navigate to Administration > Single Sign-On > Configuration.
    3. Configure Identity Source:
    4. Select the Identity Sources tab.
    5. Click ADD.
    6. Set the Identity Source Type to Active Directory over LDAP.
    7. Fill in the Name, Base DN, and Username/Password.
    8. Set the Primary Server URL to ldaps://<DC_FQDN>:636.
  3. Upload Individual Certificates:
    1. In the Certificates section, click Browse.
    2. Select the Root CA certificate file and click Open.
    3. If you have Intermediate CAs, click the + or Add button to upload each additional certificate file separately.
  4. Save: Click ADD to complete the configuration.

Additional Information

Ensure the Primary Server URL matches the Subject or Subject Alternative Name (SAN) within the certificate. Using an IP address in the URL will cause a handshake failure if the certificate only contains the FQDN.

Verify firewall connectivity: vCenter must be able to reach the Domain Controller on port 636 (LDAPS) or 3269 (Global Catalog LDAPS).

Powered by Wolken Software