https://chromium.googlesource.com/chromium/src/+/master/components/onc/docs/onc_spec.md#Certificate-type states that the format for a Certificate is

"For certificate without private keys, this is the X509 certificate in PEM format."

The current importer, however, is lax in its enforcement - see https://chromium.googlesource.com/chromium/src/+/a1df5f316669bac548623cafd8b59c85f03ac63c/chromeos/network/onc/onc_utils.cc#389

As captured in https://tools.ietf.org/html/draft-thomson-postel-was-wrong , being liberal in acceptance here causes problems. This is de facto redefining the spec as to what's acceptable, and prevents interoperability or making changes that can be reasoned safe.

Using X509Certificate::CreateCertificateListFromBytes() seems desirable here - presumably, using FORMAT_PEM_CERT_SEQUENCE and making sure that .size() == 1. That format only accepts the "CERTIFICATE" PEM block, as per https://tools.ietf.org/html/rfc7468#section-5