In our organization, we've encountered this issue on the following hardware platforms, when loaded with software versions CE9.3.x/9.4.x/9.5.x.

Our workarounds:
- Roll software back to CE9.2.x for certificate upload, and then roll software forward to 9.3.x/9.4.x/9.5.x

- Download signed pkcs7 public key file, then convert to .pem file before upload to device (no software rollback).