diff --git a/src/fundamental/efi-fundamental.h b/src/fundamental/efi-fundamental.h
index de7ae6cd8a..f72290e1b3 100644
--- a/src/fundamental/efi-fundamental.h
+++ b/src/fundamental/efi-fundamental.h
@@ -36,11 +36,10 @@ typedef struct {
         uint32_t dwLength;
         uint16_t wRevision;
         uint16_t wCertificateType;
-        uint8_t bCertificate[];
-} WIN_CERTIFICATE;
+} WIN_CERTIFICATE_HEADER;
 
 typedef struct {
-        WIN_CERTIFICATE Hdr;
+        WIN_CERTIFICATE_HEADER Hdr;
         EFI_GUID CertType;
         uint8_t CertData[];
 } WIN_CERTIFICATE_UEFI_GUID;
diff --git a/src/sbsign/sbsign.c b/src/sbsign/sbsign.c
index b2f0d861ce..74e05d4b40 100644
--- a/src/sbsign/sbsign.c
+++ b/src/sbsign/sbsign.c
@@ -669,18 +669,18 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
                 end += n;
         }
 
-        uint32_t certsz = offsetof(WIN_CERTIFICATE, bCertificate) + sigsz;
+        uint32_t certsz = sizeof(WIN_CERTIFICATE_HEADER) + sigsz;
         n = pwrite(dstfd,
-                   &(WIN_CERTIFICATE) {
+                   &(WIN_CERTIFICATE_HEADER) {
                            .wRevision = htole16(0x200),
                            .wCertificateType = htole16(0x0002), /* PKCS7 signedData */
                            .dwLength = htole32(ROUND_UP(certsz, 8)),
                    },
-                   sizeof(WIN_CERTIFICATE),
+                   sizeof(WIN_CERTIFICATE_HEADER),
                    end);
         if (n < 0)
                 return log_error_errno(errno, "Failed to write certificate header: %m");
-        if (n != sizeof(WIN_CERTIFICATE))
+        if (n != sizeof(WIN_CERTIFICATE_HEADER))
                 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short write while writing certificate header.");
 
         end += n;