Allow serial number 0 for root CA certificates

certs/include.am

@@ -146,6 +146,7 @@ include certs/ocsp/include.am
 include certs/statickeys/include.am
 include certs/test/include.am
 include certs/test-pathlen/include.am
+include certs/test-serial0/include.am
 include certs/intermediate/include.am
 include certs/falcon/include.am
 include certs/rsapss/include.am

certs/test-serial0/README.md

@@ -0,0 +1,66 @@
+# Serial Number 0 Test Certificates
+
+This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615.
+
+## Background
+
+RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types.
+
+## Test Certificates
+
+This directory contains the following test certificates:
+
+### 1. root_serial0.pem
+- **Type**: Root CA (self-signed, CA:TRUE)
+- **Serial Number**: 0
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded
+
+### 2. root.pem
+- **Type**: Root CA (self-signed, CA:TRUE)
+- **Serial Number**: 1
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Normal root CA for signing test certificates
+
+### 3. ee_serial0.pem
+- **Type**: End-entity certificate (CA:FALSE)
+- **Serial Number**: 0
+- **Signed By**: root.pem (serial 1)
+- **Expected Behavior**: Should be rejected by wolfSSL
+- **Purpose**: Tests that end-entity certs with serial 0 are still rejected
+
+### 4. ee_normal.pem
+- **Type**: End-entity certificate (CA:FALSE)
+- **Serial Number**: 100
+- **Signed By**: root_serial0.pem (serial 0)
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly
+
+### 5. selfsigned_nonca_serial0.pem
+- **Type**: Self-signed certificate (CA:FALSE)
+- **Serial Number**: 0
+- **Expected Behavior**: Should be rejected by wolfSSL
+- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception)
+
+## Regenerating Certificates
+
+To regenerate all test certificates:
+
+```bash
+cd certs/test-serial0
+./generate_certs.sh
+```
+
+Requirements:
+- OpenSSL command-line tool
+
+## Unit Tests
+
+These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`.
+
+## Related Issues
+
+- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615
+- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements
+- RFC Errata 3200: Clarification that serial numbers must be non-zero
+

certs/test-serial0/ee_normal.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV
+BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDQSvsliJPsY3ISeW7hj9iry1sP1uLy6RXBdsxfitjzgXjW
+NT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xcm565IgHGTa/lGMQVoyBALx7JFUfdgopI
+p+3cmNdsh3brxyBid6vkWZ2Kqg66xrepP81DBjYJjZVZkPAcVPVaRy9OUcrYba3C
+39Ag8dkazgEArTjWLzpn0E+R8TmNnBaHfNtC1sCQlBvXgcflmcgJX5YiezySyrxe
+yZ2NLnI//T8gLfDET0wxaDl3ghaxsYmsm/S3k2O+/1LBIRVBo5m/StqKE0dd74Jy
+l6IjLhA2AAIPKDead3agECwT92z8IBuEP+c+ReFbAgMBAAGgADANBgkqhkiG9w0B
+AQsFAAOCAQEAq+cFptvWqf7wJyNHKx/ba8Vs5L7eQ0FxptaL+vL/GJpK/EB/eUXf
+EbpznObJhe1koHzfdTg6AxORR/EdOnMwNd4OwsFf0EneC8As+fQp0VGJsI5pJROq
+FHdwh4bvAnA/hb9xrmev1BemjNGiRfuyDxkFB737x0HqWE4hLT7r+/+K56nXjaOh
+RW/J8Q6yestFmhOaYkikO/JRuDZycsjnig+tCpsqCMbPH8NDZnQ9iqsM7GsJnbJ0
+xN5564H6pybxWRAbzUwuqD9GjZEUMnQEl09Bj3RrvdO6k0Is/3DLz/j18Lq9SMVE
+Pn65JyYOtOx4nYq/l0qwGmyxVH6B2iFK5A==
+-----END CERTIFICATE REQUEST-----

certs/test-serial0/ee_normal.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
+IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
+BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMjcwMTIwMjIyMDU0WjBAMRowGAYDVQQD
+DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBK+yWIk+xj
+chJ5buGP2KvLWw/W4vLpFcF2zF+K2POBeNY1PjCrTiwL5YIHRx7Z5Cq1jlYQpatj
+ZdybnrkiAcZNr+UYxBWjIEAvHskVR92Cikin7dyY12yHduvHIGJ3q+RZnYqqDrrG
+t6k/zUMGNgmNlVmQ8BxU9VpHL05RythtrcLf0CDx2RrOAQCtONYvOmfQT5HxOY2c
+Fod820LWwJCUG9eBx+WZyAlfliJ7PJLKvF7JnY0ucj/9PyAt8MRPTDFoOXeCFrGx
+iayb9LeTY77/UsEhFUGjmb9K2ooTR13vgnKXoiMuEDYAAg8oN5p3dqAQLBP3bPwg
+G4Q/5z5F4VsCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRnG/d+aW8BFCmq6uwx
+C6dWjzttgjAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETANBgkqhkiG
+9w0BAQsFAAOCAQEAcL96MOQD8SbVbhqBc7pJWrzUCfdHUX5TVfvwmSgU2+36cSkl
+3X5ScMQT9FJbdMe/O3a3jpVVjNM1Tr4n1vL/32o5/3YVlzUZBKtOs+wQU4p+juin
+ye9ot4IZTbv12Fqwp4UC1Z7QU9SwtwEVE6drWYEmc7dRN1DchEaI6fmGMCqIaD4+
+6rw4yUEeRn6tVVnzhRHK+F0iCSKUK4cpvDgJqbtzJDMHx777L1dZV/7Q3SLhdJoV
+Iz+KB/HTUaaV47cUbJyxpGw4RmtsFW0Lt/B6Tgfp6X6laUCTLKIXxQVKEzxI2GMc
+vBT21qGYbcWCAPdF0BBTo5zsI/zWtgyuTEWmMQ==
+-----END CERTIFICATE-----

certs/test-serial0/ee_normal_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQSvsliJPsY3IS
+eW7hj9iry1sP1uLy6RXBdsxfitjzgXjWNT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xc
+m565IgHGTa/lGMQVoyBALx7JFUfdgopIp+3cmNdsh3brxyBid6vkWZ2Kqg66xrep
+P81DBjYJjZVZkPAcVPVaRy9OUcrYba3C39Ag8dkazgEArTjWLzpn0E+R8TmNnBaH
+fNtC1sCQlBvXgcflmcgJX5YiezySyrxeyZ2NLnI//T8gLfDET0wxaDl3ghaxsYms
+m/S3k2O+/1LBIRVBo5m/StqKE0dd74Jyl6IjLhA2AAIPKDead3agECwT92z8IBuE
+P+c+ReFbAgMBAAECggEAMTQ9PsEUPIfDZzTTaipaYz7PHJ9FDl/cWU7QeZNpq6A+
+pM+ACOw2s7X9uekxNkr/mM05ugAFusZoxiPm61HqvGcWsZZXn8rgr/jRm2vRBbU0
+KHSu/mkGnqcjgxAPiOM/MlqvGhYRE7MkqLEfMoGRm1EcYkOYTQEO0ow1UxmEQvq8
+NLiuPiX783SLGfcvaSXZ0Sjt7040J6YZmwPRQexf7FvR5wUqI/5xx6OqyXs4D/Ua
+/UsJZNbaXmnUL4KR7D7mQXQnj3GZF1SC4xYwZxe+3XQI+YADjvyN2huv7JgWFszE
+oBkaAGhlXFnilxPJ7MUOCAZgJuj0Q23MN2vCaB8CAQKBgQD+AHcCqbRUEP48cwVd
+SA7nHf9u8b0Zf0KArh94SlFJPI9FvfqEIWguJqY0TgoOg8RSdnJTPxaKgix1MX8k
+zrRYhmlX5vK0ZQrKoSIRoD0jeDXWbqywICamqurPeJW9DznhmAWlh4+99YcP0OAs
+nzALph1fGzvHZG7UkSdBwGPnWwKBgQDR7nZ6dWSPKMZskNvhqv5aXZJ8bly6zRZB
+X6uc/9pSjG9sFSlrx9JspoBcA9mvlMoGjbL+vPqTUC31X+7GbEUD0VGoz91zAHgL
+nuzYNtO3uFUMrfsafwV2yxiIia5gO9xn+xvtYu9ooyeIbDH76Hx+NurvWE78n2wH
+4u7QRaEOAQKBgQDEKC/AiraMxaLRpDJcW63GptABKgdTjYgaQF5lU197I52xyomR
+SQtfuNFaS3pQw0n2NSsNRwdtaCJVTyhVkJyOUR9Bl0WQMwgmfFIHMqyEm+1X8JjE
+W8/9nrlACGv7WarlobWapBpKJTds6250h2tfU6YTMMD1t4Yv+vlKOf3tSQKBgAax
+DDPBFDCAAzsorumVkr/8pZOzzN7jdKcmzoiVmzbwZQjT79sQpoNyFztXoBO5sWre
+D2uRSIdzkdN1eF34y4ZgoLK51Xw58pmkOjZ2IO+FP6jEzvE8RUdRF/oaMWW94rup
+xG0frzPtp2/wyvMVqQo44+o3LWVeC4qA0E3xOj4BAoGAXg5lRpHvQ7pnBc3091bt
+fDmZwFcqFnIH/9GATHzj2E0nBaTEkCFHNhPoW8gdpZBGUbe7Tgy1HGZUY9Few6Wt
+n0CvP8dcaN2WTrUh7oWe5cL27ySOoGO46pUqgUSAwTKTReK7LsUq0s5wpsYcCrLp
+bqDVpmojm7S1Ie/5Eep12r8=
+-----END PRIVATE KEY-----

certs/test-serial0/ee_serial0.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG
+A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALEtqgqXbOUdAsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5
+Bx6AEQF7x4av90MUllAnPKthbJrJlFEHenlKfmQ/mGygdlwenf4WZtKx0tbRwkGX
+o6ZQwsFlDuHAIykn99B+tnm+8C3LcTirTDEBNcyauqhgJigIH5W5X+4LqqK5GAlB
+Pj/YgUpNxCdLIZUm7m+Zms3U2kKCmZEDCQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KK
+I/+QpGhdYzAptMJ4oKYShTE3WgQxMAdwnSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZ
+t4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC6YzLpPKiBfkCAwEAAaAAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBG+FbMGBe6uz/kTHNvxlQUxH5HoLUnrbeP/fRM8zrh6EsCPrcX
+o6hBt03rAvw0EbNOB4QYNt5qEZpz7N3164yfnN6rQjAdwcvg3Anoy3tImIMaNl0k
+BE4ju5TlUSIc+qqHaqTKxZzM2XoomgztyZX1c4DeSspRBLK7/neaK02ZQKcHRQ7P
+dyrVp2/LpZXrD3oa0kPExJKcb88MerBDQLUE7hM4dgHq73C69zoHT+PxGF9DvbC6
+OfP41FBFEEG2/q9BC9/PQWaBLzBVmQCyBNiGskPppHYql0Kb6urc9bNS2hsFVaOW
+v2Mw+6Yfh/Csm78QurQAe5J4llMu/Jc0lPYQ
+-----END CERTIFICATE REQUEST-----

certs/test-serial0/ee_serial0.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
+IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
+AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTI3MDEyMDIyMjA1NFowQjEcMBoGA1UEAwwT
+RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALEtqgqXbOUd
+AsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5Bx6AEQF7x4av90MUllAnPKthbJrJlFEH
+enlKfmQ/mGygdlwenf4WZtKx0tbRwkGXo6ZQwsFlDuHAIykn99B+tnm+8C3LcTir
+TDEBNcyauqhgJigIH5W5X+4LqqK5GAlBPj/YgUpNxCdLIZUm7m+Zms3U2kKCmZED
+CQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KKI/+QpGhdYzAptMJ4oKYShTE3WgQxMAdw
+nSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZt4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC
+6YzLpPKiBfkCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTyadZTmltoi4cKgwkj
+nBnlwHOAEjAfBgNVHSMEGDAWgBSJPs7EkDRfdCKEKo9bs+7f7fbDVjANBgkqhkiG
+9w0BAQsFAAOCAQEApkyEGnc9kvcZ6j9WcCqd83dwfKglWItlQxoEOwG0ion0nML2
+YZ1YOaKY96jZCAmWnlHPyZX9jURvPqizq/0M158pAAkoNo0IGLyLn2Pgl0JZsMwc
+oVVKrYhIttLHC1nwlmBeNA7XcfWeS7Dhdicwbao6Vfib1wid4KARbj8XC4bfsfil
+zEGTMyDYW14cA7bywv3QQk48ZJtVosKrzddyiAEwSlt/sduwO1BfIEjy6lmZv71M
+RDVAve4fO3rAu3S5o42bHIEZAzMyABq1oMHIEYvTXIDVT5c2MKCx5vqMNxuYLJUF
+w0cYT3ASVYvLUQA6gMW6Fo1F46yReSN5SgdMtg==
+-----END CERTIFICATE-----

certs/test-serial0/ee_serial0_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxLaoKl2zlHQLA
+QURNxb7S/YFEDgZ/iTAb6104BzIVeQcegBEBe8eGr/dDFJZQJzyrYWyayZRRB3p5
+Sn5kP5hsoHZcHp3+FmbSsdLW0cJBl6OmUMLBZQ7hwCMpJ/fQfrZ5vvAty3E4q0wx
+ATXMmrqoYCYoCB+VuV/uC6qiuRgJQT4/2IFKTcQnSyGVJu5vmZrN1NpCgpmRAwkA
+xiLQPGX3PGuBbreFumarcxoSfPvCiiP/kKRoXWMwKbTCeKCmEoUxN1oEMTAHcJ0m
+E6ruVeIdXwqtn3QDGS90mvMhO74pmbeHhjVjP1naxLl/9xgXfwOgfS9JtH0jgumM
+y6TyogX5AgMBAAECggEAAnzpE4zRwfCAQkyJdvvBEUYBtCjr5sJ0/gnxkK1Tnk3S
+ZC5EzJPxy2aKMlWtDAax4UZFCPsuDGYFUvrMpjswBjF3kJV6sV1TM1arAhhUsfZ9
+IaxmQJBa/MRKMhsgjZcaxglXnYQmcTuKHnFB49YadG3JEIWXZPMjD0PTkRd/Gr9t
+V2NCnFcDVB/LhPrK03ZFm0iZdkKyjvNRF6HqL65m+S52vpOYLeGEGWckR0g/hfCF
+MkpoSOtrj2CBzdKHHC35F5Rpplz0lxH0nNedsExOk6TEnrxNZJVtU22W6nxe4s7o
+H9kTmVl/qwjkWMPNgKDy/SFhW9AM3FJ1WL0AgC3KIQKBgQDmsSTooLWK44PDh16e
+kYvT0kYOaVke1eJIkDdx6+CYFP6QsOdB4/Fs7mWpWzGTWzOoHj6hZQZ3ZNLwoSrK
+zUfnFu/epu8x9LRJ/3mGJDwvUbFYqUShjaCqGz7cikRTe3DdCXDNyIefLfDouVLS
+Nu7GDq63ZivIAIgJ7pWl2RXImQKBgQDEnZ7Y9/ywbTpcGszNUL2ycQbJlRKo0CKs
+E74gWdH+HV9Pw1hzUaokkOOVWP05Tys1f6Pxzdjd1Rsx+qdu2kiP/X8HdyOTGJHX
+cmHdANLVB8xwvPVqJfYf2AE4sMR0v9T9tfTumMcsVklsmPVv4vOMP1uNozDGPY/N
+RJwNRDekYQKBgQCXvcWtTqibZvPw1UYjv1DeT93M9PauFbn2SQZvZNwirQyVWAeF
+i83t/RHZyCZf6wmbd+lyd+U8+5DUvu5K36SAGNJG/j8v+OnuEqF43rTH21BwJUcD
+jQk1Wx6KKlivIO8oNWGBunma9rkUG3Ki24dLt7Ss5gO+Vrsk7U55/MUbYQKBgQC+
+RUL5+VLicXHuvEjB0IcjbloBLnB2SaWkHR77M7ESV95q1EJ+puMeq9ByMUIs+b54
+8WL4mBps4tSEk2sAzeE25zzNPrCAo2BPvPOT6j4dxoRD/bkJ1l7PBjx4XihgS1yV
+gkbbt6HX+FDp9URf2KOUb6Pr96c10VGede0GsaOfQQKBgFY34rstr7y6TV+7z3GI
+OZOiZPwK0CV79Nz5YnzbyfLF4/OUVq4nmtQyJWyxGSKv8WRVwXsfxJS1aHg2X/ji
+DxbgXYcspSAqzVB8B0VuOhQniU/vcV7jz8eV0i/UArIEil5IJhgbCV54rrmP1S0a
+MXoHymWsugQICuHqmyCDyzhn
+-----END PRIVATE KEY-----

certs/test-serial0/generate_certs.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+#
+# Generate test certificates for serial number 0 testing (issue #8615)
+# This script creates certificates in the certs/test-serial0/ directory
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+echo "==================================================="
+echo "Generating serial 0 test certificates in: $SCRIPT_DIR"
+echo "==================================================="
+
+# 1. Create Root CA with serial number 0
+echo ""
+echo "[1/5] Creating Root CA with serial number 0..."
+openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \
+    -days 3650 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \
+    -set_serial 0 \
+    -addext "basicConstraints=critical,CA:TRUE" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign"
+
+echo "   Root CA serial number:"
+openssl x509 -in root_serial0.pem -noout -serial
+
+# 2. Create normal Root CA (serial != 0)
+echo ""
+echo "[2/5] Creating normal Root CA with serial number 1..."
+openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \
+    -days 3650 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \
+    -set_serial 1 \
+    -addext "basicConstraints=critical,CA:TRUE" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign"
+
+echo "   Root CA serial number:"
+openssl x509 -in root.pem -noout -serial
+
+# 3. Create end-entity cert with serial 0 signed by normal root
+echo ""
+echo "[3/5] Creating end-entity certificate with serial number 0..."
+openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \
+    -subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US"
+
+openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \
+    -out ee_serial0.pem -days 365 -set_serial 0 \
+    -extfile <(echo "basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth,clientAuth")
+
+echo "   End-entity cert serial number:"
+openssl x509 -in ee_serial0.pem -noout -serial
+
+# 4. Create normal end-entity cert signed by root CA with serial 0
+echo ""
+echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..."
+openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \
+    -subj "/CN=End Entity Normal/O=wolfSSL Test/C=US"
+
+openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \
+    -out ee_normal.pem -days 365 -set_serial 100 \
+    -extfile <(echo "basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth,clientAuth")
+
+echo "   Normal end-entity cert serial number:"
+openssl x509 -in ee_normal.pem -noout -serial
+
+# 5. Create self-signed non-CA certificate with serial 0
+echo ""
+echo "[5/5] Creating self-signed non-CA certificate with serial number 0..."
+openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \
+    -out selfsigned_nonca_serial0.pem -days 365 -nodes \
+    -subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \
+    -set_serial 0 \
+    -addext "basicConstraints=CA:FALSE" \
+    -addext "keyUsage=digitalSignature,keyEncipherment"
+
+echo "   Self-signed non-CA cert serial number:"
+openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial
+
+echo ""
+echo "==================================================="
+echo "Certificate generation complete!"
+echo "==================================================="
+echo ""
+echo "Generated certificates in: $SCRIPT_DIR"
+echo "  - root_serial0.pem         (Root CA with serial 0)"
+echo "  - root.pem                 (Normal root CA)"
+echo "  - ee_serial0.pem           (End-entity with serial 0)"
+echo "  - ee_normal.pem            (Normal end-entity)"
+echo "  - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)"
+echo ""
+

certs/test-serial0/include.am

@@ -0,0 +1,20 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+dist_doc_DATA+= certs/test-serial0/README.md
+
+EXTRA_DIST+= certs/test-serial0/generate_certs.sh \
+             certs/test-serial0/root_serial0.pem \
+             certs/test-serial0/root_serial0_key.pem \
+             certs/test-serial0/root.pem \
+             certs/test-serial0/root_key.pem \
+             certs/test-serial0/ee_serial0.pem \
+             certs/test-serial0/ee_serial0.csr \
+             certs/test-serial0/ee_serial0_key.pem \
+             certs/test-serial0/ee_normal.pem \
+             certs/test-serial0/ee_normal.csr \
+             certs/test-serial0/ee_normal_key.pem \
+             certs/test-serial0/selfsigned_nonca_serial0.pem \
+             certs/test-serial0/selfsigned_nonca_serial0_key.pem
+

certs/test-serial0/root.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
+IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
+AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTM2MDExODIyMjA1NFowQjEcMBoGA1UEAwwT
+VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsKPjfQf+g/
+/3mo5V0NFhHpIuSN3FKHzA/U22iZ/2w2YE5i/B5Yu161M9hrhObGuhqfo1KiP6+O
++vyR/aVZ5Opigjs1/oajQF98HvoTUBFZaG+jCiicGpIV5+RSok4UB25F4y+wygRP
+RCKB9tqojUnKWbzwAS91iOT4or6iogScUEI2m/AiYl+OwXq0xAp9remgZgk43Wb0
+2X6N1aOFSpuqGSp0aG8XjUqj2mGZGfxQXuEUGk6Vtcohng9Ocof7KQwr3oyLWcOl
+XDXFsAVcHfinQ9ik01zXtqZy5jikdynWF+tPXu98SIb169x0HV42wt0dJkATxTf9
+81m/Aw1nbH8CAwEAAaNjMGEwHQYDVR0OBBYEFIk+zsSQNF90IoQqj1uz7t/t9sNW
+MB8GA1UdIwQYMBaAFIk+zsSQNF90IoQqj1uz7t/t9sNWMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAqCSPxGXj7Bgs/
+qxjRk1ouwOd3m6F+bop8bgsc2smlGw9ZBNff13ElkWX8TtkvynSa1bVYcWIiinYj
+QWpQFeyd271MQYTNq8OzvKw4o2i/0vaom1csDCJeY72/Vk7RGAUPfVfuZhXgA4xq
+6VLRgCGdI8LW7x2/lCx1WzDTo87PvnUbxJ2DaMfAINzxSz2rvew0qGYM4zXndMLt
+8YQUhqJ5CgZznX3Oq0YCI5fWrHWky+IZSoxa4WBf/0wQ2HLXv1go60TQBkiyQFC5
+FEoXl6Ffh7RrfHbzMLs+hjqEzVqR3btc6yN7gsCALfvaCe+aqmCdv0511W0yJuXX
+aLSFNxev
+-----END CERTIFICATE-----

certs/test-serial0/root_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCrCj430H/oP/95
+qOVdDRYR6SLkjdxSh8wP1Ntomf9sNmBOYvweWLtetTPYa4Tmxroan6NSoj+vjvr8
+kf2lWeTqYoI7Nf6Go0BffB76E1ARWWhvowoonBqSFefkUqJOFAduReMvsMoET0Qi
+gfbaqI1Jylm88AEvdYjk+KK+oqIEnFBCNpvwImJfjsF6tMQKfa3poGYJON1m9Nl+
+jdWjhUqbqhkqdGhvF41Ko9phmRn8UF7hFBpOlbXKIZ4PTnKH+ykMK96Mi1nDpVw1
+xbAFXB34p0PYpNNc17amcuY4pHcp1hfrT17vfEiG9evcdB1eNsLdHSZAE8U3/fNZ
+vwMNZ2x/AgMBAAECggEAN/1m56N/s3n7ugoxZxgJEPzl+LZ9mKCuisItvtymkfhs
+50wc5xw53eNoYOC1hUwpkNyQPNUzDte5zqNFynKWbqmnoxVmSBG52WgKxec7jypa
+9yyCf0+2nPrByerJCdEhq5YCLFLtlqKSFc/AjMyfT7gHT0Orx6rskLPZppkbe3Fc
+QHOaCS8ptRWidbLapoVf37gAcdhzG7IyDY8lPlkew0A0oKo2Gw8cfBWeFxI3sILN
+TBNkfF2B+VA6O74Kxo+br+/Z/mUesNSPyvNBho9GDXV+eKrnCHwroTN8eMQnR0zz
+gG7kgmtiBuM4jGio5O4YAea5frpS/RpFsPoKtXZI1QKBgQDpN1QV9KYm73p9Fsx+
+o3lR2QR55e50GZhBNKxhNEFAfK/Heu9W2HCENENvk5YPbKhaEo88oggTaQ2S9Etx
+h4ldGZVcZh1i0Itxudri1smeHDk200Dls6xYXOa58QVA3jvHLWX7TUuXVJEpb3hP
+n9kJJaKbfz0JHfZyQXFRQmOxLQKBgQC7v+gt/hif4pH16pItiEkLxiZk+6UvQOBa
+jSGpWcO4ERajFKh1RxgRetNaCXONaEpId5GJrRQQo+lSzdPDBYkFWAETMK82S58g
+SfEuCuPBIW/GpshjWWiCshz4Iu7ebcaKaI1AOaqP9fgO/COEsi1KgNLhs7uY11b/
+OjtJNUUn2wKBgQCt3s4VwFvPU2NitwimsYHVf5JSvxXUAPD+TCLoJWkwhsUWV5Tw
+jlT0e3J7UPDjdwLchFG9xp92uS+hi/hjH8VNX7F3PbpS3V/Y3dNOowuVkT0mnsEX
+f6jSCBEMN6DPB+BRUothm/LrU+UVm0F7O5U3uJNOksISdgAylo/BIVnp0QKBgGHa
+Qnt+HH1wS9yctjUu+8s8KhSlp1E6gfQP7IRkOYK8vUyf3rDJLf0mQ/OAS45e1aBx
+WRQldfi6RUgX6I+TWffEB0NmM1ucDEJ650209UFaWPRzRqupFLRRepHFOzQIiNro
+ZP4dUA0aCIBe33AwoTRccgyabWLakQgS5IViUznTAoGBAKp+mVnVe3Bjcake7BxY
+PZ84h+mPH/yluBrw8cZ9btwvLPOh4dY1OmzYp5AOyD5Ny5OgwbhEFd94ICc1l4aM
+jISMlENBFUQNGdCTIw6at7dDoDfNLBdj5ILk84sp7SsNzsJj2wjMUf1IWNGdk31U
+/vS6RGDW8wnle1OiFKlJgFEf
+-----END PRIVATE KEY-----

certs/test-serial0/root_serial0.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
+IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
+BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMzYwMTE4MjIyMDU0WjBEMR4wHAYDVQQD
+DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL
+MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Nc+B
+5JeYF9oGKWArnr6uxFavqB5ByRZn4Bs6RXAldeekhlNMMLwUjLMoXV8bMshqMYwg
+Wv2YufEhBs0jbUVYtl6pVd9QpFSSBuRDa9hHDgNkHLteuqVGeAfTPOUSvjrhqOqa
+st605Bi+IhM3uGxxI4SxqpS8AiywMWXsWD2a4yp68gpKNq7h7eByCcDgImPeyC6i
+fmdoiTNSFOChGNaFI7eWuY+n7xjOQUsUbwqP/Ogv2a0lmHK4jzjEHi4yvh2neat1
+9Q9+FnL36Qq0SRiFIBflrWX5liYOdlmhuByuSc5kxSEAVIT3lSbjgolU+kFbH8n+
+k5BsYE8qGX2Gmq3FAgMBAAGjYzBhMB0GA1UdDgQWBBRt0+yEMO1FSR8j934e0GuP
+tvjJETAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEALgjZlkoY
+ZkzpusX9iKJCqiBPTAeDtUFyw2ZqSV8jwWH2Miz7OHg52SFHii5Hkgb9iv3nJ3UD
+J7qAb7sHCKhs5fiebz+9e/xQsS1U+wvmuxD3CBlSoGFwP8VmrY3G2BHU/laTZeuq
+p4Nv0tNrG8mE/MYjkSFyw/8ZHXaWQV6fO0RMWMUDM1fDJhOewxmt+KaDfx9EHKR0
+hLkT9HjoJv+3DupORmleUU05TRhprWiL5azFxN/iUQ2Me+FQdJZTxv7Uy1MO8C4c
++X6fhA+SB8k0kNbIeaezw9+V5xKrV128yBymG1GUVhN2E95TqBfWGdtvjEtZHner
+Uc3vhbTbplj7tg==
+-----END CERTIFICATE-----