Skip to content

Allow serial number 0 for root CA certificates #9567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jackctj117 wants to merge 13 commits into
base: master
Choose a base branch
from
+578 −16
Open

Allow serial number 0 for root CA certificates #9567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0b78a68
Allow serial number 0 for root CA certificates
jackctj117 Dec 19, 2025
6c6c881
Added serial 0 tests to unit tests
jackctj117 Dec 20, 2025
06d7d7d
Fix for old tests
jackctj117 Dec 23, 2025
83d80c3
Add serial 0 validation to non-template code path
jackctj117 Jan 7, 2026
4b198c8
Add serial 0 validation to original parser, fix CSR handling
jackctj117 Jan 7, 2026
34bef7e
Merge branch 'master' into serial-0
jackctj117 Jan 9, 2026
f7ba9a9
Merge conflict fix
jackctj117 Jan 9, 2026
05d86c8
Fix test_MakeCertWith0Ser: remove keyCertSign from non-CA certificate…
jackctj117 Jan 16, 2026
0e98ee3
Fixed white spaces
jackctj117 Jan 19, 2026
13e81c2
Add generated test certificates for serial 0 testing
jackctj117 Jan 20, 2026
c643038
Added new certs to include.am
jackctj117 Jan 20, 2026
83303d3
Fix serial0 tests to check for expected ASN_PARSE_E error code
jackctj117 Jan 26, 2026
82c6f7e
fix error handleing
jackctj117 Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions certs/include.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ include certs/ocsp/include.am
include certs/statickeys/include.am
include certs/test/include.am
include certs/test-pathlen/include.am
include certs/test-serial0/include.am
include certs/intermediate/include.am
include certs/falcon/include.am
include certs/rsapss/include.am
Expand Down
66 changes: 66 additions & 0 deletions certs/test-serial0/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Serial Number 0 Test Certificates

This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615.

## Background

RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types.

## Test Certificates

This directory contains the following test certificates:

### 1. root_serial0.pem
- **Type**: Root CA (self-signed, CA:TRUE)
- **Serial Number**: 0
- **Expected Behavior**: Should be accepted by wolfSSL
- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded

### 2. root.pem
- **Type**: Root CA (self-signed, CA:TRUE)
- **Serial Number**: 1
- **Expected Behavior**: Should be accepted by wolfSSL
- **Purpose**: Normal root CA for signing test certificates

### 3. ee_serial0.pem
- **Type**: End-entity certificate (CA:FALSE)
- **Serial Number**: 0
- **Signed By**: root.pem (serial 1)
- **Expected Behavior**: Should be rejected by wolfSSL
- **Purpose**: Tests that end-entity certs with serial 0 are still rejected

### 4. ee_normal.pem
- **Type**: End-entity certificate (CA:FALSE)
- **Serial Number**: 100
- **Signed By**: root_serial0.pem (serial 0)
- **Expected Behavior**: Should be accepted by wolfSSL
- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly

### 5. selfsigned_nonca_serial0.pem
- **Type**: Self-signed certificate (CA:FALSE)
- **Serial Number**: 0
- **Expected Behavior**: Should be rejected by wolfSSL
- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception)

## Regenerating Certificates

To regenerate all test certificates:

```bash
cd certs/test-serial0
./generate_certs.sh
```

Requirements:
- OpenSSL command-line tool

## Unit Tests

These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`.

## Related Issues

- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615
- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements
- RFC Errata 3200: Clarification that serial numbers must be non-zero

16 changes: 16 additions & 0 deletions certs/test-serial0/ee_normal.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV
BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDQSvsliJPsY3ISeW7hj9iry1sP1uLy6RXBdsxfitjzgXjW
NT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xcm565IgHGTa/lGMQVoyBALx7JFUfdgopI
p+3cmNdsh3brxyBid6vkWZ2Kqg66xrepP81DBjYJjZVZkPAcVPVaRy9OUcrYba3C
39Ag8dkazgEArTjWLzpn0E+R8TmNnBaHfNtC1sCQlBvXgcflmcgJX5YiezySyrxe
yZ2NLnI//T8gLfDET0wxaDl3ghaxsYmsm/S3k2O+/1LBIRVBo5m/StqKE0dd74Jy
l6IjLhA2AAIPKDead3agECwT92z8IBuEP+c+ReFbAgMBAAGgADANBgkqhkiG9w0B
AQsFAAOCAQEAq+cFptvWqf7wJyNHKx/ba8Vs5L7eQ0FxptaL+vL/GJpK/EB/eUXf
EbpznObJhe1koHzfdTg6AxORR/EdOnMwNd4OwsFf0EneC8As+fQp0VGJsI5pJROq
FHdwh4bvAnA/hb9xrmev1BemjNGiRfuyDxkFB737x0HqWE4hLT7r+/+K56nXjaOh
RW/J8Q6yestFmhOaYkikO/JRuDZycsjnig+tCpsqCMbPH8NDZnQ9iqsM7GsJnbJ0
xN5564H6pybxWRAbzUwuqD9GjZEUMnQEl09Bj3RrvdO6k0Is/3DLz/j18Lq9SMVE
Pn65JyYOtOx4nYq/l0qwGmyxVH6B2iFK5A==
-----END CERTIFICATE REQUEST-----
21 changes: 21 additions & 0 deletions certs/test-serial0/ee_normal.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMjcwMTIwMjIyMDU0WjBAMRowGAYDVQQD
DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBK+yWIk+xj
chJ5buGP2KvLWw/W4vLpFcF2zF+K2POBeNY1PjCrTiwL5YIHRx7Z5Cq1jlYQpatj
ZdybnrkiAcZNr+UYxBWjIEAvHskVR92Cikin7dyY12yHduvHIGJ3q+RZnYqqDrrG
t6k/zUMGNgmNlVmQ8BxU9VpHL05RythtrcLf0CDx2RrOAQCtONYvOmfQT5HxOY2c
Fod820LWwJCUG9eBx+WZyAlfliJ7PJLKvF7JnY0ucj/9PyAt8MRPTDFoOXeCFrGx
iayb9LeTY77/UsEhFUGjmb9K2ooTR13vgnKXoiMuEDYAAg8oN5p3dqAQLBP3bPwg
G4Q/5z5F4VsCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRnG/d+aW8BFCmq6uwx
C6dWjzttgjAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETANBgkqhkiG
9w0BAQsFAAOCAQEAcL96MOQD8SbVbhqBc7pJWrzUCfdHUX5TVfvwmSgU2+36cSkl
3X5ScMQT9FJbdMe/O3a3jpVVjNM1Tr4n1vL/32o5/3YVlzUZBKtOs+wQU4p+juin
ye9ot4IZTbv12Fqwp4UC1Z7QU9SwtwEVE6drWYEmc7dRN1DchEaI6fmGMCqIaD4+
6rw4yUEeRn6tVVnzhRHK+F0iCSKUK4cpvDgJqbtzJDMHx777L1dZV/7Q3SLhdJoV
Iz+KB/HTUaaV47cUbJyxpGw4RmtsFW0Lt/B6Tgfp6X6laUCTLKIXxQVKEzxI2GMc
vBT21qGYbcWCAPdF0BBTo5zsI/zWtgyuTEWmMQ==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions certs/test-serial0/ee_normal_key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQSvsliJPsY3IS
eW7hj9iry1sP1uLy6RXBdsxfitjzgXjWNT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xc
m565IgHGTa/lGMQVoyBALx7JFUfdgopIp+3cmNdsh3brxyBid6vkWZ2Kqg66xrep
P81DBjYJjZVZkPAcVPVaRy9OUcrYba3C39Ag8dkazgEArTjWLzpn0E+R8TmNnBaH
fNtC1sCQlBvXgcflmcgJX5YiezySyrxeyZ2NLnI//T8gLfDET0wxaDl3ghaxsYms
m/S3k2O+/1LBIRVBo5m/StqKE0dd74Jyl6IjLhA2AAIPKDead3agECwT92z8IBuE
P+c+ReFbAgMBAAECggEAMTQ9PsEUPIfDZzTTaipaYz7PHJ9FDl/cWU7QeZNpq6A+
pM+ACOw2s7X9uekxNkr/mM05ugAFusZoxiPm61HqvGcWsZZXn8rgr/jRm2vRBbU0
KHSu/mkGnqcjgxAPiOM/MlqvGhYRE7MkqLEfMoGRm1EcYkOYTQEO0ow1UxmEQvq8
NLiuPiX783SLGfcvaSXZ0Sjt7040J6YZmwPRQexf7FvR5wUqI/5xx6OqyXs4D/Ua
/UsJZNbaXmnUL4KR7D7mQXQnj3GZF1SC4xYwZxe+3XQI+YADjvyN2huv7JgWFszE
oBkaAGhlXFnilxPJ7MUOCAZgJuj0Q23MN2vCaB8CAQKBgQD+AHcCqbRUEP48cwVd
SA7nHf9u8b0Zf0KArh94SlFJPI9FvfqEIWguJqY0TgoOg8RSdnJTPxaKgix1MX8k
zrRYhmlX5vK0ZQrKoSIRoD0jeDXWbqywICamqurPeJW9DznhmAWlh4+99YcP0OAs
nzALph1fGzvHZG7UkSdBwGPnWwKBgQDR7nZ6dWSPKMZskNvhqv5aXZJ8bly6zRZB
X6uc/9pSjG9sFSlrx9JspoBcA9mvlMoGjbL+vPqTUC31X+7GbEUD0VGoz91zAHgL
nuzYNtO3uFUMrfsafwV2yxiIia5gO9xn+xvtYu9ooyeIbDH76Hx+NurvWE78n2wH
4u7QRaEOAQKBgQDEKC/AiraMxaLRpDJcW63GptABKgdTjYgaQF5lU197I52xyomR
SQtfuNFaS3pQw0n2NSsNRwdtaCJVTyhVkJyOUR9Bl0WQMwgmfFIHMqyEm+1X8JjE
W8/9nrlACGv7WarlobWapBpKJTds6250h2tfU6YTMMD1t4Yv+vlKOf3tSQKBgAax
DDPBFDCAAzsorumVkr/8pZOzzN7jdKcmzoiVmzbwZQjT79sQpoNyFztXoBO5sWre
D2uRSIdzkdN1eF34y4ZgoLK51Xw58pmkOjZ2IO+FP6jEzvE8RUdRF/oaMWW94rup
xG0frzPtp2/wyvMVqQo44+o3LWVeC4qA0E3xOj4BAoGAXg5lRpHvQ7pnBc3091bt
fDmZwFcqFnIH/9GATHzj2E0nBaTEkCFHNhPoW8gdpZBGUbe7Tgy1HGZUY9Few6Wt
n0CvP8dcaN2WTrUh7oWe5cL27ySOoGO46pUqgUSAwTKTReK7LsUq0s5wpsYcCrLp
bqDVpmojm7S1Ie/5Eep12r8=
-----END PRIVATE KEY-----
16 changes: 16 additions & 0 deletions certs/test-serial0/ee_serial0.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG
A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALEtqgqXbOUdAsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5
Bx6AEQF7x4av90MUllAnPKthbJrJlFEHenlKfmQ/mGygdlwenf4WZtKx0tbRwkGX
o6ZQwsFlDuHAIykn99B+tnm+8C3LcTirTDEBNcyauqhgJigIH5W5X+4LqqK5GAlB
Pj/YgUpNxCdLIZUm7m+Zms3U2kKCmZEDCQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KK
I/+QpGhdYzAptMJ4oKYShTE3WgQxMAdwnSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZ
t4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC6YzLpPKiBfkCAwEAAaAAMA0GCSqGSIb3
DQEBCwUAA4IBAQBG+FbMGBe6uz/kTHNvxlQUxH5HoLUnrbeP/fRM8zrh6EsCPrcX
o6hBt03rAvw0EbNOB4QYNt5qEZpz7N3164yfnN6rQjAdwcvg3Anoy3tImIMaNl0k
BE4ju5TlUSIc+qqHaqTKxZzM2XoomgztyZX1c4DeSspRBLK7/neaK02ZQKcHRQ7P
dyrVp2/LpZXrD3oa0kPExJKcb88MerBDQLUE7hM4dgHq73C69zoHT+PxGF9DvbC6
OfP41FBFEEG2/q9BC9/PQWaBLzBVmQCyBNiGskPppHYql0Kb6urc9bNS2hsFVaOW
v2Mw+6Yfh/Csm78QurQAe5J4llMu/Jc0lPYQ
-----END CERTIFICATE REQUEST-----
21 changes: 21 additions & 0 deletions certs/test-serial0/ee_serial0.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTI3MDEyMDIyMjA1NFowQjEcMBoGA1UEAwwT
RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALEtqgqXbOUd
AsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5Bx6AEQF7x4av90MUllAnPKthbJrJlFEH
enlKfmQ/mGygdlwenf4WZtKx0tbRwkGXo6ZQwsFlDuHAIykn99B+tnm+8C3LcTir
TDEBNcyauqhgJigIH5W5X+4LqqK5GAlBPj/YgUpNxCdLIZUm7m+Zms3U2kKCmZED
CQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KKI/+QpGhdYzAptMJ4oKYShTE3WgQxMAdw
nSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZt4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC
6YzLpPKiBfkCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTyadZTmltoi4cKgwkj
nBnlwHOAEjAfBgNVHSMEGDAWgBSJPs7EkDRfdCKEKo9bs+7f7fbDVjANBgkqhkiG
9w0BAQsFAAOCAQEApkyEGnc9kvcZ6j9WcCqd83dwfKglWItlQxoEOwG0ion0nML2
YZ1YOaKY96jZCAmWnlHPyZX9jURvPqizq/0M158pAAkoNo0IGLyLn2Pgl0JZsMwc
oVVKrYhIttLHC1nwlmBeNA7XcfWeS7Dhdicwbao6Vfib1wid4KARbj8XC4bfsfil
zEGTMyDYW14cA7bywv3QQk48ZJtVosKrzddyiAEwSlt/sduwO1BfIEjy6lmZv71M
RDVAve4fO3rAu3S5o42bHIEZAzMyABq1oMHIEYvTXIDVT5c2MKCx5vqMNxuYLJUF
w0cYT3ASVYvLUQA6gMW6Fo1F46yReSN5SgdMtg==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions certs/test-serial0/ee_serial0_key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxLaoKl2zlHQLA
QURNxb7S/YFEDgZ/iTAb6104BzIVeQcegBEBe8eGr/dDFJZQJzyrYWyayZRRB3p5
Sn5kP5hsoHZcHp3+FmbSsdLW0cJBl6OmUMLBZQ7hwCMpJ/fQfrZ5vvAty3E4q0wx
ATXMmrqoYCYoCB+VuV/uC6qiuRgJQT4/2IFKTcQnSyGVJu5vmZrN1NpCgpmRAwkA
xiLQPGX3PGuBbreFumarcxoSfPvCiiP/kKRoXWMwKbTCeKCmEoUxN1oEMTAHcJ0m
E6ruVeIdXwqtn3QDGS90mvMhO74pmbeHhjVjP1naxLl/9xgXfwOgfS9JtH0jgumM
y6TyogX5AgMBAAECggEAAnzpE4zRwfCAQkyJdvvBEUYBtCjr5sJ0/gnxkK1Tnk3S
ZC5EzJPxy2aKMlWtDAax4UZFCPsuDGYFUvrMpjswBjF3kJV6sV1TM1arAhhUsfZ9
IaxmQJBa/MRKMhsgjZcaxglXnYQmcTuKHnFB49YadG3JEIWXZPMjD0PTkRd/Gr9t
V2NCnFcDVB/LhPrK03ZFm0iZdkKyjvNRF6HqL65m+S52vpOYLeGEGWckR0g/hfCF
MkpoSOtrj2CBzdKHHC35F5Rpplz0lxH0nNedsExOk6TEnrxNZJVtU22W6nxe4s7o
H9kTmVl/qwjkWMPNgKDy/SFhW9AM3FJ1WL0AgC3KIQKBgQDmsSTooLWK44PDh16e
kYvT0kYOaVke1eJIkDdx6+CYFP6QsOdB4/Fs7mWpWzGTWzOoHj6hZQZ3ZNLwoSrK
zUfnFu/epu8x9LRJ/3mGJDwvUbFYqUShjaCqGz7cikRTe3DdCXDNyIefLfDouVLS
Nu7GDq63ZivIAIgJ7pWl2RXImQKBgQDEnZ7Y9/ywbTpcGszNUL2ycQbJlRKo0CKs
E74gWdH+HV9Pw1hzUaokkOOVWP05Tys1f6Pxzdjd1Rsx+qdu2kiP/X8HdyOTGJHX
cmHdANLVB8xwvPVqJfYf2AE4sMR0v9T9tfTumMcsVklsmPVv4vOMP1uNozDGPY/N
RJwNRDekYQKBgQCXvcWtTqibZvPw1UYjv1DeT93M9PauFbn2SQZvZNwirQyVWAeF
i83t/RHZyCZf6wmbd+lyd+U8+5DUvu5K36SAGNJG/j8v+OnuEqF43rTH21BwJUcD
jQk1Wx6KKlivIO8oNWGBunma9rkUG3Ki24dLt7Ss5gO+Vrsk7U55/MUbYQKBgQC+
RUL5+VLicXHuvEjB0IcjbloBLnB2SaWkHR77M7ESV95q1EJ+puMeq9ByMUIs+b54
8WL4mBps4tSEk2sAzeE25zzNPrCAo2BPvPOT6j4dxoRD/bkJ1l7PBjx4XihgS1yV
gkbbt6HX+FDp9URf2KOUb6Pr96c10VGede0GsaOfQQKBgFY34rstr7y6TV+7z3GI
OZOiZPwK0CV79Nz5YnzbyfLF4/OUVq4nmtQyJWyxGSKv8WRVwXsfxJS1aHg2X/ji
DxbgXYcspSAqzVB8B0VuOhQniU/vcV7jz8eV0i/UArIEil5IJhgbCV54rrmP1S0a
MXoHymWsugQICuHqmyCDyzhn
-----END PRIVATE KEY-----
94 changes: 94 additions & 0 deletions certs/test-serial0/generate_certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
#!/bin/bash
#
# Generate test certificates for serial number 0 testing (issue #8615)
# This script creates certificates in the certs/test-serial0/ directory

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"

echo "==================================================="
echo "Generating serial 0 test certificates in: $SCRIPT_DIR"
echo "==================================================="

# 1. Create Root CA with serial number 0
echo ""
echo "[1/5] Creating Root CA with serial number 0..."
openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \
-days 3650 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \
-set_serial 0 \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"

echo " Root CA serial number:"
openssl x509 -in root_serial0.pem -noout -serial

# 2. Create normal Root CA (serial != 0)
echo ""
echo "[2/5] Creating normal Root CA with serial number 1..."
openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \
-days 3650 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \
-set_serial 1 \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"

echo " Root CA serial number:"
openssl x509 -in root.pem -noout -serial

# 3. Create end-entity cert with serial 0 signed by normal root
echo ""
echo "[3/5] Creating end-entity certificate with serial number 0..."
openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \
-subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US"

openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \
-out ee_serial0.pem -days 365 -set_serial 0 \
-extfile <(echo "basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth")

echo " End-entity cert serial number:"
openssl x509 -in ee_serial0.pem -noout -serial

# 4. Create normal end-entity cert signed by root CA with serial 0
echo ""
echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..."
openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \
-subj "/CN=End Entity Normal/O=wolfSSL Test/C=US"

openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \
-out ee_normal.pem -days 365 -set_serial 100 \
-extfile <(echo "basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth")

echo " Normal end-entity cert serial number:"
openssl x509 -in ee_normal.pem -noout -serial

# 5. Create self-signed non-CA certificate with serial 0
echo ""
echo "[5/5] Creating self-signed non-CA certificate with serial number 0..."
openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \
-out selfsigned_nonca_serial0.pem -days 365 -nodes \
-subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \
-set_serial 0 \
-addext "basicConstraints=CA:FALSE" \
-addext "keyUsage=digitalSignature,keyEncipherment"

echo " Self-signed non-CA cert serial number:"
openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial

echo ""
echo "==================================================="
echo "Certificate generation complete!"
echo "==================================================="
echo ""
echo "Generated certificates in: $SCRIPT_DIR"
echo " - root_serial0.pem (Root CA with serial 0)"
echo " - root.pem (Normal root CA)"
echo " - ee_serial0.pem (End-entity with serial 0)"
echo " - ee_normal.pem (Normal end-entity)"
echo " - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)"
echo ""

20 changes: 20 additions & 0 deletions certs/test-serial0/include.am
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# vim:ft=automake
# included from Top Level Makefile.am
# All paths should be given relative to the root

dist_doc_DATA+= certs/test-serial0/README.md

EXTRA_DIST+= certs/test-serial0/generate_certs.sh \
certs/test-serial0/root_serial0.pem \
certs/test-serial0/root_serial0_key.pem \
certs/test-serial0/root.pem \
certs/test-serial0/root_key.pem \
certs/test-serial0/ee_serial0.pem \
certs/test-serial0/ee_serial0.csr \
certs/test-serial0/ee_serial0_key.pem \
certs/test-serial0/ee_normal.pem \
certs/test-serial0/ee_normal.csr \
certs/test-serial0/ee_normal_key.pem \
certs/test-serial0/selfsigned_nonca_serial0.pem \
certs/test-serial0/selfsigned_nonca_serial0_key.pem

21 changes: 21 additions & 0 deletions certs/test-serial0/root.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTM2MDExODIyMjA1NFowQjEcMBoGA1UEAwwT
VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsKPjfQf+g/
/3mo5V0NFhHpIuSN3FKHzA/U22iZ/2w2YE5i/B5Yu161M9hrhObGuhqfo1KiP6+O
+vyR/aVZ5Opigjs1/oajQF98HvoTUBFZaG+jCiicGpIV5+RSok4UB25F4y+wygRP
RCKB9tqojUnKWbzwAS91iOT4or6iogScUEI2m/AiYl+OwXq0xAp9remgZgk43Wb0
2X6N1aOFSpuqGSp0aG8XjUqj2mGZGfxQXuEUGk6Vtcohng9Ocof7KQwr3oyLWcOl
XDXFsAVcHfinQ9ik01zXtqZy5jikdynWF+tPXu98SIb169x0HV42wt0dJkATxTf9
81m/Aw1nbH8CAwEAAaNjMGEwHQYDVR0OBBYEFIk+zsSQNF90IoQqj1uz7t/t9sNW
MB8GA1UdIwQYMBaAFIk+zsSQNF90IoQqj1uz7t/t9sNWMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAqCSPxGXj7Bgs/
qxjRk1ouwOd3m6F+bop8bgsc2smlGw9ZBNff13ElkWX8TtkvynSa1bVYcWIiinYj
QWpQFeyd271MQYTNq8OzvKw4o2i/0vaom1csDCJeY72/Vk7RGAUPfVfuZhXgA4xq
6VLRgCGdI8LW7x2/lCx1WzDTo87PvnUbxJ2DaMfAINzxSz2rvew0qGYM4zXndMLt
8YQUhqJ5CgZznX3Oq0YCI5fWrHWky+IZSoxa4WBf/0wQ2HLXv1go60TQBkiyQFC5
FEoXl6Ffh7RrfHbzMLs+hjqEzVqR3btc6yN7gsCALfvaCe+aqmCdv0511W0yJuXX
aLSFNxev
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions certs/test-serial0/root_key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCrCj430H/oP/95
qOVdDRYR6SLkjdxSh8wP1Ntomf9sNmBOYvweWLtetTPYa4Tmxroan6NSoj+vjvr8
kf2lWeTqYoI7Nf6Go0BffB76E1ARWWhvowoonBqSFefkUqJOFAduReMvsMoET0Qi
gfbaqI1Jylm88AEvdYjk+KK+oqIEnFBCNpvwImJfjsF6tMQKfa3poGYJON1m9Nl+
jdWjhUqbqhkqdGhvF41Ko9phmRn8UF7hFBpOlbXKIZ4PTnKH+ykMK96Mi1nDpVw1
xbAFXB34p0PYpNNc17amcuY4pHcp1hfrT17vfEiG9evcdB1eNsLdHSZAE8U3/fNZ
vwMNZ2x/AgMBAAECggEAN/1m56N/s3n7ugoxZxgJEPzl+LZ9mKCuisItvtymkfhs
50wc5xw53eNoYOC1hUwpkNyQPNUzDte5zqNFynKWbqmnoxVmSBG52WgKxec7jypa
9yyCf0+2nPrByerJCdEhq5YCLFLtlqKSFc/AjMyfT7gHT0Orx6rskLPZppkbe3Fc
QHOaCS8ptRWidbLapoVf37gAcdhzG7IyDY8lPlkew0A0oKo2Gw8cfBWeFxI3sILN
TBNkfF2B+VA6O74Kxo+br+/Z/mUesNSPyvNBho9GDXV+eKrnCHwroTN8eMQnR0zz
gG7kgmtiBuM4jGio5O4YAea5frpS/RpFsPoKtXZI1QKBgQDpN1QV9KYm73p9Fsx+
o3lR2QR55e50GZhBNKxhNEFAfK/Heu9W2HCENENvk5YPbKhaEo88oggTaQ2S9Etx
h4ldGZVcZh1i0Itxudri1smeHDk200Dls6xYXOa58QVA3jvHLWX7TUuXVJEpb3hP
n9kJJaKbfz0JHfZyQXFRQmOxLQKBgQC7v+gt/hif4pH16pItiEkLxiZk+6UvQOBa
jSGpWcO4ERajFKh1RxgRetNaCXONaEpId5GJrRQQo+lSzdPDBYkFWAETMK82S58g
SfEuCuPBIW/GpshjWWiCshz4Iu7ebcaKaI1AOaqP9fgO/COEsi1KgNLhs7uY11b/
OjtJNUUn2wKBgQCt3s4VwFvPU2NitwimsYHVf5JSvxXUAPD+TCLoJWkwhsUWV5Tw
jlT0e3J7UPDjdwLchFG9xp92uS+hi/hjH8VNX7F3PbpS3V/Y3dNOowuVkT0mnsEX
f6jSCBEMN6DPB+BRUothm/LrU+UVm0F7O5U3uJNOksISdgAylo/BIVnp0QKBgGHa
Qnt+HH1wS9yctjUu+8s8KhSlp1E6gfQP7IRkOYK8vUyf3rDJLf0mQ/OAS45e1aBx
WRQldfi6RUgX6I+TWffEB0NmM1ucDEJ650209UFaWPRzRqupFLRRepHFOzQIiNro
ZP4dUA0aCIBe33AwoTRccgyabWLakQgS5IViUznTAoGBAKp+mVnVe3Bjcake7BxY
PZ84h+mPH/yluBrw8cZ9btwvLPOh4dY1OmzYp5AOyD5Ny5OgwbhEFd94ICc1l4aM
jISMlENBFUQNGdCTIw6at7dDoDfNLBdj5ILk84sp7SsNzsJj2wjMUf1IWNGdk31U
/vS6RGDW8wnle1OiFKlJgFEf
-----END PRIVATE KEY-----
21 changes: 21 additions & 0 deletions certs/test-serial0/root_serial0.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMzYwMTE4MjIyMDU0WjBEMR4wHAYDVQQD
DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL
MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Nc+B
5JeYF9oGKWArnr6uxFavqB5ByRZn4Bs6RXAldeekhlNMMLwUjLMoXV8bMshqMYwg
Wv2YufEhBs0jbUVYtl6pVd9QpFSSBuRDa9hHDgNkHLteuqVGeAfTPOUSvjrhqOqa
st605Bi+IhM3uGxxI4SxqpS8AiywMWXsWD2a4yp68gpKNq7h7eByCcDgImPeyC6i
fmdoiTNSFOChGNaFI7eWuY+n7xjOQUsUbwqP/Ogv2a0lmHK4jzjEHi4yvh2neat1
9Q9+FnL36Qq0SRiFIBflrWX5liYOdlmhuByuSc5kxSEAVIT3lSbjgolU+kFbH8n+
k5BsYE8qGX2Gmq3FAgMBAAGjYzBhMB0GA1UdDgQWBBRt0+yEMO1FSR8j934e0GuP
tvjJETAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEALgjZlkoY
ZkzpusX9iKJCqiBPTAeDtUFyw2ZqSV8jwWH2Miz7OHg52SFHii5Hkgb9iv3nJ3UD
J7qAb7sHCKhs5fiebz+9e/xQsS1U+wvmuxD3CBlSoGFwP8VmrY3G2BHU/laTZeuq
p4Nv0tNrG8mE/MYjkSFyw/8ZHXaWQV6fO0RMWMUDM1fDJhOewxmt+KaDfx9EHKR0
hLkT9HjoJv+3DupORmleUU05TRhprWiL5azFxN/iUQ2Me+FQdJZTxv7Uy1MO8C4c
+X6fhA+SB8k0kNbIeaezw9+V5xKrV128yBymG1GUVhN2E95TqBfWGdtvjEtZHner
Uc3vhbTbplj7tg==
-----END CERTIFICATE-----
Loading
Loading