wolfSSL has refined its X.509 serial number validation to better handle real-world trust stores. Previously, wolfSSL rejected any certificate with a serial number of 0. While RFC 5280 requires CAs to issue certificates with positive serial numbers, some long-standing self-signed root CA certificates in circulation were created with serial 0, and rejecting them caused otherwise valid certificate chains to fail to load.
With this change, wolfSSL now accepts serial number 0 for self-signed root CA certificates while continuing to reject it for all other certificates, including end-entity and self-signed non-CA certificates. This keeps the strict RFC 5280 check where it matters most – certificates actually issued by a CA – while accommodating legacy roots that trust stores already accept in practice.
The change was merged in PR #9567, resolves issue #8615, and will be included in the next wolfSSL release.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now

