diff --git a/libfreerdp/core/certificate.c b/libfreerdp/core/certificate.c
index 5f258037a..d4b486fee 100644
--- a/libfreerdp/core/certificate.c
+++ b/libfreerdp/core/certificate.c
@@ -807,35 +807,38 @@ BOOL certificate_read_server_certificate(rdpCertificate* certificate, const BYTE
 	return ret;
 }
 
-BOOL certificate_write_server_certificate(rdpCertificate* certificate, UINT32 dwVersion, wStream* s)
+SSIZE_T certificate_write_server_certificate(const rdpCertificate* certificate, UINT32 dwVersion,
+                                             wStream* s)
 {
-	BOOL ret;
+	const size_t start = Stream_GetPosition(s);
 
 	WINPR_ASSERT(certificate);
 	WINPR_ASSERT(s);
 
 	if (!Stream_EnsureRemainingCapacity(s, 4))
-		return FALSE;
+		return -1;
 	Stream_Write_UINT32(s, dwVersion); /* dwVersion (4 bytes) */
 
 	switch (dwVersion & CERT_CHAIN_VERSION_MASK)
 	{
 		case CERT_CHAIN_VERSION_1:
-			ret = certificate_write_server_proprietary_certificate(certificate, s);
+			if (!certificate_write_server_proprietary_certificate(certificate, s))
+				return -1;
 			break;
 
 		case CERT_CHAIN_VERSION_2:
-			ret = certificate_write_server_x509_certificate_chain(certificate, s);
+			if (!certificate_write_server_x509_certificate_chain(certificate, s))
+				return -1;
 			break;
 
 		default:
 			WLog_ERR(TAG, "invalid certificate chain version:%" PRIu32 "",
 			         dwVersion & CERT_CHAIN_VERSION_MASK);
-			ret = FALSE;
-			break;
+			return -1;
 	}
 
-	return ret;
+	const size_t end = Stream_GetPosition(s);
+	return end - start;
 }
 
 rdpRsaKey* key_new_from_content(const char* keycontent, const char* keyfile)
diff --git a/libfreerdp/core/certificate.h b/libfreerdp/core/certificate.h
index fea087d0b..769eb5537 100644
--- a/libfreerdp/core/certificate.h
+++ b/libfreerdp/core/certificate.h
@@ -47,8 +47,8 @@
 
 FREERDP_LOCAL BOOL certificate_read_server_certificate(rdpCertificate* certificate,
                                                        const BYTE* server_cert, size_t length);
-FREERDP_LOCAL BOOL certificate_write_server_certificate(rdpCertificate* certificate,
-                                                        UINT32 dwVersion, wStream* s);
+FREERDP_LOCAL SSIZE_T certificate_write_server_certificate(const rdpCertificate* certificate,
+                                                           UINT32 dwVersion, wStream* s);
 
 FREERDP_LOCAL rdpCertificate* certificate_clone(const rdpCertificate* certificate);
 
diff --git a/libfreerdp/core/license.c b/libfreerdp/core/license.c
index 5b5dfbcd7..3a449d742 100644
--- a/libfreerdp/core/license.c
+++ b/libfreerdp/core/license.c
@@ -2751,9 +2751,10 @@ BOOL license_server_configure(rdpLicense* license)
 		return FALSE;
 	else
 	{
-		BOOL r =
+		BOOL r = FALSE;
+		SSIZE_T res =
 		    certificate_write_server_certificate(license->certificate, CERT_CHAIN_VERSION_2, s);
-		if (r)
+		if (res >= 0)
 			r = license_read_binary_blob_data(license->ServerCertificate, BB_CERTIFICATE_BLOB,
 			                                  Stream_Buffer(s), Stream_GetPosition(s));