Allow serial number 0 for root CA certificates

certs/include.am

@@ -146,6 +146,7 @@ include certs/ocsp/include.am
 include certs/statickeys/include.am
 include certs/test/include.am
 include certs/test-pathlen/include.am
+include certs/test-serial0/include.am
 include certs/intermediate/include.am
 include certs/falcon/include.am
 include certs/rsapss/include.am

certs/test-serial0/README.md

@@ -0,0 +1,66 @@
+# Serial Number 0 Test Certificates
+
+This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615.
+
+## Background
+
+RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types.
+
+## Test Certificates
+
+This directory contains the following test certificates:
+
+### 1. root_serial0.pem
+- **Type**: Root CA (self-signed, CA:TRUE)
+- **Serial Number**: 0
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded
+
+### 2. root.pem
+- **Type**: Root CA (self-signed, CA:TRUE)
+- **Serial Number**: 1
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Normal root CA for signing test certificates
+
+### 3. ee_serial0.pem
+- **Type**: End-entity certificate (CA:FALSE)
+- **Serial Number**: 0
+- **Signed By**: root.pem (serial 1)
+- **Expected Behavior**: Should be rejected by wolfSSL
+- **Purpose**: Tests that end-entity certs with serial 0 are still rejected
+
+### 4. ee_normal.pem
+- **Type**: End-entity certificate (CA:FALSE)
+- **Serial Number**: 100
+- **Signed By**: root_serial0.pem (serial 0)
+- **Expected Behavior**: Should be accepted by wolfSSL
+- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly
+
+### 5. selfsigned_nonca_serial0.pem
+- **Type**: Self-signed certificate (CA:FALSE)
+- **Serial Number**: 0
+- **Expected Behavior**: Should be rejected by wolfSSL
+- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception)
+
+## Regenerating Certificates
+
+To regenerate all test certificates:
+
+```bash
+cd certs/test-serial0
+./generate_certs.sh
+```
+
+Requirements:
+- OpenSSL command-line tool
+
+## Unit Tests
+
+These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`.
+
+## Related Issues
+
+- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615
+- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements
+- RFC Errata 3200: Clarification that serial numbers must be non-zero
+

certs/test-serial0/ee_normal.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV
+BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDGmfUlMQyqetJsIs9jEX5KljUwq1T9Tg743KhWAFDTpR5T
+rx0wsUBTnalsY+FdEzQXf0WJ4jLxBZjhiFlUJsVRF24hqME7WjaeJr3+x+8+B550
+81GiBL1B50dVszgyHPTQlhEy/RF3ZUkc+e7ntbmHj7z9es84wBgRhWufV78RcF0L
+PwqY5rMOZCxIc9+J7pXZj3eebhXnEar/NwgMfBziKwZ23OFnr0WpYsg/zZxmr1Qr
+AExT718RrZ6M5I2T6okgv9vY85oPrut8Gc6C8bFpAg/Z7FpnUaFNfnXzsuG0Lrg8
+k/STG6jR1rK/dFy1H9egpnFyhpdZZN3IkIIbA7XZAgMBAAGgADANBgkqhkiG9w0B
+AQsFAAOCAQEAmx7S7a3tM4oJMgf9pI6VE+n1pTMhJ1izGs9+7aDU7Vw0/cSIn62X
+NpMN59cYU8PEKmEDMhG11AzaajnoHYNV+a3V84is5gmUW3Gnj5a39nD4l7VRcWXk
+1SsGxa4XCrss7SA+wydnbx/bH/t3FTkA7eX2v9Ad+z7gdcyxnSK+c1x0hDj5omHA
+g0YpoHgNoS+kUG3oxc0ajzghyiiQCJKPTF2rNyzqFaWL48O49ZRpZHxacZhDAscN
+ks/UU8T9s8f39/PthXDUvSqwYaqgOU+isgc4BVnLaDfeycpDG9P6LCM/LB8htecJ
+9T4+O5ZhbfYWZA+MRawStYwtapWT37vL2Q==
+-----END CERTIFICATE REQUEST-----

certs/test-serial0/ee_normal.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
+IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
+BhMCVVMwHhcNMjUxMjE5MjM0MDE4WhcNMjYxMjE5MjM0MDE4WjBAMRowGAYDVQQD
+DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaZ9SUxDKp6
+0mwiz2MRfkqWNTCrVP1ODvjcqFYAUNOlHlOvHTCxQFOdqWxj4V0TNBd/RYniMvEF
+mOGIWVQmxVEXbiGowTtaNp4mvf7H7z4HnnTzUaIEvUHnR1WzODIc9NCWETL9EXdl
+SRz57ue1uYePvP16zzjAGBGFa59XvxFwXQs/Cpjmsw5kLEhz34nuldmPd55uFecR
+qv83CAx8HOIrBnbc4WevRaliyD/NnGavVCsATFPvXxGtnozkjZPqiSC/29jzmg+u
+63wZzoLxsWkCD9nsWmdRoU1+dfOy4bQuuDyT9JMbqNHWsr90XLUf16CmcXKGl1lk
+3ciQghsDtdkCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQOtYl8IbuhwNvuxtw/
+E0EiPBLdITAfBgNVHSMEGDAWgBTKbzmfzfMDi8bSxDKvXPrVlJO7QTANBgkqhkiG
+9w0BAQsFAAOCAQEAp2KWiroy9OFUFghTBWquc5oQUVS5f1IYfVt4Gas0Vz9Sokwm
+xl+TiXJAA9mV8RSxxkIokGcOsyycwzwyq9IeGhq1ovEgNNJM5OVjkdX5CjjnWs+i
+Kum+TEWAawWnTDSRyhxjcbdAu+5TtF+Wk9UwO6hEOEaTUzpgEaGLgiqyJSV3XEpp
+y9BQTQ4wwmLv3qzZR8P6O+pRxMIHKu/kkD/2gxlKyonH+PikbR+d1DNP/Hwn92q7
+qs8o7udsluxfHsO8JCiqtRDuHyHPpTTSQIBX1MqIn57dEY67HSIfyXXOsq+ygW/I
+coAv4SxQ5arEXmaZXOkcR8Z36FhIw1XO+qBGfg==
+-----END CERTIFICATE-----

certs/test-serial0/ee_normal_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDGmfUlMQyqetJs
+Is9jEX5KljUwq1T9Tg743KhWAFDTpR5Trx0wsUBTnalsY+FdEzQXf0WJ4jLxBZjh
+iFlUJsVRF24hqME7WjaeJr3+x+8+B55081GiBL1B50dVszgyHPTQlhEy/RF3ZUkc
++e7ntbmHj7z9es84wBgRhWufV78RcF0LPwqY5rMOZCxIc9+J7pXZj3eebhXnEar/
+NwgMfBziKwZ23OFnr0WpYsg/zZxmr1QrAExT718RrZ6M5I2T6okgv9vY85oPrut8
+Gc6C8bFpAg/Z7FpnUaFNfnXzsuG0Lrg8k/STG6jR1rK/dFy1H9egpnFyhpdZZN3I
+kIIbA7XZAgMBAAECggEAEVCl92lN2zqHHbIb67LAPzIruVkOuWD0sYzSHmFmVUrY
+QzU0HHqFCw/mur0AjolYlCiJVbVYz1EMxwkIuhYBQ7SBFRfYn7CaAh2K7hYyDRyZ
+RkVahiosnVIpPYG5HLa6lMmoqTiNgnUxs9WJ7JNtoAc6U81BGN0NRtB06s5kfwQU
+f4cJ0eW9FoAgLorxCQTdfWDecV26wEy7AylEPZwavs7oDjxeIMSmE0X7kaAzXXab
+LYrjLY8d2ySQLPOO+0fwCnKqxPAIS11iZOXkyEb1sEurSH/k4F6SPI44qpr3sUP+
+W9FSXdFe0d9FXNLAEsUcx1ZlQhTcXatwmTfrsuvgiwKBgQD8VCLCpjmRAYLAWNWd
+k8lXXc4XZHKVdW3mSFBoiVTaTTdMncm55VrCaPTizZcjQSP1lsvTaIskjzh/aJ5A
+ZoKN7b0d9uI4voSdT72qdjV//CSTwHcxqngxidYhVncTVHGW2SxWCQpCdnkB9Ljt
+ONRSSo1eSC7iejKDB1gCyB6hhwKBgQDJfbNX0ZnnzW3dd9Z9dl7HZk0BtdlbLlSn
+XZKPpHjDpHKA8tNLAJqfUS7m70rOlk8K6Ls9Lw/BWWQmNH95Syyd99xXw32q2gwJ
+U9OQZkOg1TBriXdOy0GMPR1Hva4pTL+p6cUdtTuoiSqDsWQFXCXJX2yZbX9vSHqS
+wnOxquxFnwKBgQCQroWH6twTQzR/qfBCfFz0VXs4eoYhIMY1Rr2kUypuSdwteEQU
+7WfPFXNlINFKi61cwmx4+fberaiNlaU39A9j5i+MIOWx97v+n5x3Q3SFwEQQ3Ej8
+F2z3qrs3PmbklITVJA2B/4j8dwYHkxT+IJnN3aWVq/oGLl8MNofGgIzfvQKBgQCJ
+qxMgi5umn9vTGBA7ROdZQnKXGpLaE/vPJsX+0xeYRQHfTQpFErKS7DspmpH4OQbk
+o0NbeI5BQzyERhZa35wqirHIXU+9rqHOtbG11cmbWE5vC0uzUHkGwrMA037txPyn
+sYv20l9iteWQeWGnr+A5iLOA2Sna9SCaqbW2zNwGbQKBgQCJ9FzkJZTNn5xmFmhH
+JaCwl+BUKFIITN9xgoB7G2Fd5s8dMRhATnSxWHxoYh+VMIDZmJVItatSMN84ATN+
+xis5DbQdKvCDcBhuDc9U46UhmQvvg5PpHBAdDVg2VGY6n7ZTydOSTEJJIjINxzDD
+ditcotkx/ZONY00aSgx/FtmmkA==
+-----END PRIVATE KEY-----

certs/test-serial0/ee_serial0.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG
+A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANUOzExpAy8FaTQVU4yj2FxAY93lRLhNe9R9CW9LBKZD
+6R3tg+EltRK5i4798RnZfXwanU2LeCFi21a7q7FL29gaeTxxP1CrB59lubdvlqIK
+82TAubWHBhoPt0dPR5bTsBPtwoqn8ZPAJPTBqFkzpkX8ASNIakvPH546RX+6WHbJ
+a175fxyKMRo6V9UKWjA/sqQkhIOA3Drl6x4d7haa35NquZm/OeIQnEqu2XWTdWcx
+iMqKquTNyJ2izZ4WRa65QzVMPLQrlh47xtPUC5Hu17sgW2FYY1GiOmTO3iKAXZsn
+yt+9UWJru8NuvWkxIZdwOABLJm8K25XW8GvZUvoan7cCAwEAAaAAMA0GCSqGSIb3
+DQEBCwUAA4IBAQC/GAHuVZz2p/Tkk7QXrIbovWvw2g1gusPDJrL27471ZwFUnTyA
+y5NZDGRSMazZCylclRBIATEEEiTobR32+3NaT/r01wMBW/9R5uh7MpDAJjA9jS/8
+zE92TwwT9H8RHnkbJXzxKPbnRZF/Nl5FE0DzH7YlHY9PKAbkeN3l3M5zy8yxoon+
+1g2QiEVHiGWPshtpbqpKuxbgwSJ8bP6BdZ51fwmgSCqzaei+OCXrGKKHJqdHpwRd
+iX7tp4PtcCWiifwvb1d/az5X/CGBfK6qar8jYNa5dGLXQn2pilAxoddRSDIrrNnN
+pT3R8Djb1CQGFtS7RUdtmA5FRqlY3cAFI4o6
+-----END CERTIFICATE REQUEST-----

certs/test-serial0/ee_serial0.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
+IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
+AlVTMB4XDTI1MTIxOTIzNDAxOFoXDTI2MTIxOTIzNDAxOFowQjEcMBoGA1UEAwwT
+RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUOzExpAy8F
+aTQVU4yj2FxAY93lRLhNe9R9CW9LBKZD6R3tg+EltRK5i4798RnZfXwanU2LeCFi
+21a7q7FL29gaeTxxP1CrB59lubdvlqIK82TAubWHBhoPt0dPR5bTsBPtwoqn8ZPA
+JPTBqFkzpkX8ASNIakvPH546RX+6WHbJa175fxyKMRo6V9UKWjA/sqQkhIOA3Drl
+6x4d7haa35NquZm/OeIQnEqu2XWTdWcxiMqKquTNyJ2izZ4WRa65QzVMPLQrlh47
+xtPUC5Hu17sgW2FYY1GiOmTO3iKAXZsnyt+9UWJru8NuvWkxIZdwOABLJm8K25XW
+8GvZUvoan7cCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQx+Na6kBfWYPpaWckA
+enIUHRBTpjAfBgNVHSMEGDAWgBSHt8mJk7i7mgilD+S1x772GmpVEzANBgkqhkiG
+9w0BAQsFAAOCAQEAToFw7Pq59wHF05exYFlSC8R5TRQy9C4fZH55J5urGZ76pOFw
+7jyxke2QacP0/3bE3/cJOFPjGm4pu060+lI9sVu0S4ztiRjaNhbHm2vbpZ7ZLXrL
+2ytMG4S17rbkCw/nPbNEi4aleB/QPI8g2oVDmxO9ZR8dGhh9CBsNsfy5iHo+clV3
+NAim9bhd3otyJRJcEfTUBe2n+DIu87B4s+/8d7NWZm/0s3p+tDZ8b9cvJcakN4Ty
+uN42s7goJ+fBQhPyPvxn/DT6wQY0rfEtsPGF4DFliKdnOlrHkctA9mC3ysGWbNa4
+m/t6/U2WeTZPSgJad/OHsXHP+/Ke7dEiXHZsCw==
+-----END CERTIFICATE-----

certs/test-serial0/ee_serial0_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDVDsxMaQMvBWk0
+FVOMo9hcQGPd5US4TXvUfQlvSwSmQ+kd7YPhJbUSuYuO/fEZ2X18Gp1Ni3ghYttW
+u6uxS9vYGnk8cT9QqwefZbm3b5aiCvNkwLm1hwYaD7dHT0eW07AT7cKKp/GTwCT0
+wahZM6ZF/AEjSGpLzx+eOkV/ulh2yWte+X8cijEaOlfVClowP7KkJISDgNw65ese
+He4Wmt+TarmZvzniEJxKrtl1k3VnMYjKiqrkzcidos2eFkWuuUM1TDy0K5YeO8bT
+1AuR7te7IFthWGNRojpkzt4igF2bJ8rfvVFia7vDbr1pMSGXcDgASyZvCtuV1vBr
+2VL6Gp+3AgMBAAECggEAFfkjutGtwWC2e+ejKUMQolsFsbHeh39+QOjwWykKfrdM
+SIjhbAv+g8LdEM9B2V+j4HPCO2gh6JeQdX5/c5aWQtBgJoqrc/9fluHf6Ho6t9WX
+SpHR1VXqnC94wIL9qCGG7Fc+FBzD/m/3n8KFQUXhZSBbYa8rP0xKP4BVAJpQW1e0
+WkMxy57kMdZYAgFsGK3vdnaZyBFtIePj1WDplRwR4wCFWq920MWWv5WyG2OyIXiP
+BG7o8qhEyU+bPKbIWfaLtIrZHwNk38HoDoluoKx3/W9rEY0jS/Qgwk+Z5Dd4/ufS
+C+sf82bh5mlOvCsBt5LTfuIhjXH0QVSWYqiQW5Zk8QKBgQD3G/iQo+yK+7hGiELm
+YasBftSJ3kW2J19BWzWsH31P6QzpwldHXDgJo3pITpoBnNvWgfa5y+/D7aN9WrMs
+JY3DZO9eyUHw4j2tC0c9HCORObgWYdwQ274UCV6y2o815ty+B/4Vla1ENt2TPWHa
+8TCgaBjGH8Px187zJRoKmFdOeQKBgQDcuTEuwLRhky6O4bBh41XZ7CfvfBco1EXx
+yk12WJ63bpVmRlmciWQWEwUVOHr3cGRzCCeQ1Y3uz7jYMDit3ZkfkbIjHwwxLaVn
+TC+9hptp4oEidO30Qsf7PQKzkE7jg6FVCw/MsPMj6LXI45dM6i0k6zIrmmcUpPaw
+6QHnriETrwKBgAJ7I2nAW5WhpV3/7DwH6wGe1l9z/dswVgJ/+e/6ePWeb2TBcMLk
+qCNgos+rClzNyF9E+scuxv9+mU+e44Gj9uJpVwXqm2DhxKDCJjr0116T58dBwEXj
+DuuAlJTTIPD3mmvGBMUOtaijrGHYEe1y0nwpz2Xd18fL1OYYD0Tf9rBxAoGAT3dR
+UL7KcpLV4VU59pQtdY8DdcJcaDO8lue56dDQG8Rxf2f2nVgNs7DXVKOICgvp7kxS
+Sl/IgOFCcHsz/MzaczY2R1THQ/FmKoGQcpDC5WVKDsjAXv+oFjkJ/vIGpPzgGcko
+wA45C4Wd5RyjfWqWJEOVRYOKdzFJK7pIGExl1jsCgYAzQksueSZmOaekeuSDcOxz
+VVAalQcH7Z6mtoPu8NGRtdnQt4fdKWzEEZ1B4jPk2TqgYqsu7DPo/N46Go/96fAY
+w4w/OaamuD+Pv3bPkpgArBlcz954/JCzkNwVO1dgbg4KYSxuYWfYGV41c1R5lvYT
+wK6SetMgDcNc9rp6OG81xg==
+-----END PRIVATE KEY-----

certs/test-serial0/generate_certs.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+#
+# Generate test certificates for serial number 0 testing (issue #8615)
+# This script creates certificates in the certs/test-serial0/ directory
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+echo "==================================================="
+echo "Generating serial 0 test certificates in: $SCRIPT_DIR"
+echo "==================================================="
+
+# 1. Create Root CA with serial number 0
+echo ""
+echo "[1/5] Creating Root CA with serial number 0..."
+openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \
+    -days 3650 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \
+    -set_serial 0 \
+    -addext "basicConstraints=critical,CA:TRUE" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign"
+
+echo "   Root CA serial number:"
+openssl x509 -in root_serial0.pem -noout -serial
+
+# 2. Create normal Root CA (serial != 0)
+echo ""
+echo "[2/5] Creating normal Root CA with serial number 1..."
+openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \
+    -days 3650 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \
+    -set_serial 1 \
+    -addext "basicConstraints=critical,CA:TRUE" \
+    -addext "keyUsage=critical,keyCertSign,cRLSign"
+
+echo "   Root CA serial number:"
+openssl x509 -in root.pem -noout -serial
+
+# 3. Create end-entity cert with serial 0 signed by normal root
+echo ""
+echo "[3/5] Creating end-entity certificate with serial number 0..."
+openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \
+    -subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US"
+
+openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \
+    -out ee_serial0.pem -days 365 -set_serial 0 \
+    -extfile <(echo "basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth,clientAuth")
+
+echo "   End-entity cert serial number:"
+openssl x509 -in ee_serial0.pem -noout -serial
+
+# 4. Create normal end-entity cert signed by root CA with serial 0
+echo ""
+echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..."
+openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \
+    -subj "/CN=End Entity Normal/O=wolfSSL Test/C=US"
+
+openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \
+    -out ee_normal.pem -days 365 -set_serial 100 \
+    -extfile <(echo "basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment
+extendedKeyUsage=serverAuth,clientAuth")
+
+echo "   Normal end-entity cert serial number:"
+openssl x509 -in ee_normal.pem -noout -serial
+
+# 5. Create self-signed non-CA certificate with serial 0
+echo ""
+echo "[5/5] Creating self-signed non-CA certificate with serial number 0..."
+openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \
+    -out selfsigned_nonca_serial0.pem -days 365 -nodes \
+    -subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \
+    -set_serial 0 \
+    -addext "basicConstraints=CA:FALSE" \
+    -addext "keyUsage=digitalSignature,keyEncipherment"
+
+echo "   Self-signed non-CA cert serial number:"
+openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial
+
+echo ""
+echo "==================================================="
+echo "Certificate generation complete!"
+echo "==================================================="
+echo ""
+echo "Generated certificates in: $SCRIPT_DIR"
+echo "  - root_serial0.pem         (Root CA with serial 0)"
+echo "  - root.pem                 (Normal root CA)"
+echo "  - ee_serial0.pem           (End-entity with serial 0)"
+echo "  - ee_normal.pem            (Normal end-entity)"
+echo "  - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)"
+echo ""
+

certs/test-serial0/include.am

@@ -0,0 +1,13 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+dist_doc_DATA+= certs/test-serial0/README.md
+
+EXTRA_DIST+= certs/test-serial0/generate_certs.sh \
+             certs/test-serial0/root_serial0.pem \
+             certs/test-serial0/root.pem \
+             certs/test-serial0/ee_serial0.pem \
+             certs/test-serial0/ee_normal.pem \
+             certs/test-serial0/selfsigned_nonca_serial0.pem
+

certs/test-serial0/root.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0
+IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT
+AlVTMB4XDTI1MTIxOTIzNDAxN1oXDTM1MTIxNzIzNDAxN1owQjEcMBoGA1UEAwwT
+VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKVS5W8y81i
+YOYfBB60Zf/RxDy3Y7Sck1TyD6YbR4LOhvR+Wirbg09C0Yg+yrERzF2GlkugwT+j
+SSlSljgzoieWIVxTdAfHCje7JwZA17/6YAthUFpqpzSzGLcAFpWvtFSCwTd+1CTw
+suME5AL7qXF3jrhDJ9+VgfQJIlvbMnY1kLBG62ceG659q5WfHxWOOXXU/6dUOC6+
+DAW6njh9AKvQJM/J3yV2U8XJD31DnQyk3GnA1vSp3fiFF1F20kcHALwP6i7mm7Nl
+sjs3mBmNH+gPRdfsKuuDH99bKi1utophWtkhgmHHTsR9woTZOSUlJwAVE4Eh0hLG
+vVjvdEkR9rsCAwEAAaNjMGEwHQYDVR0OBBYEFIe3yYmTuLuaCKUP5LXHvvYaalUT
+MB8GA1UdIwQYMBaAFIe3yYmTuLuaCKUP5LXHvvYaalUTMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEIi3qHMBYUhwf
+qsADCG8cseg+ay81gypC5UGsvoSCY6vFXKFHJrN40IDOw0j4aOHrLnVIps8JqJ1g
+w6IbM+sOU90fN45O32a/hvBIvC2YjkOen1ubzSRmJShGJPCTMN/ukHUr52G2Uvdl
+N9STaYzE2kQE/tcK6FiD/uHosN+WqfPE7YfqbV4PtVR8UCzGTHYUtAe8T0xGdvz1
+NR1cZy9lhaRAcOx1G28rGo6pIGqMg/OKdY49RwshC7WnBAwJT4kvp7fAO57DRx+z
+UTk+Mzgw/51jQo6/6glSs7Ry8yjwaEI51JkF/afz63ugMBh+HDa9YT7/k1mHdgNf
+BM6gjMgs
+-----END CERTIFICATE-----

certs/test-serial0/root_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClUuVvMvNYmDm
+HwQetGX/0cQ8t2O0nJNU8g+mG0eCzob0floq24NPQtGIPsqxEcxdhpZLoME/o0kp
+UpY4M6InliFcU3QHxwo3uycGQNe/+mALYVBaaqc0sxi3ABaVr7RUgsE3ftQk8LLj
+BOQC+6lxd464QyfflYH0CSJb2zJ2NZCwRutnHhuufauVnx8Vjjl11P+nVDguvgwF
+up44fQCr0CTPyd8ldlPFyQ99Q50MpNxpwNb0qd34hRdRdtJHBwC8D+ou5puzZbI7
+N5gZjR/oD0XX7Crrgx/fWyotbraKYVrZIYJhx07EfcKE2TklJScAFROBIdISxr1Y
+73RJEfa7AgMBAAECggEAOUA5AYEPi8n2za5xhWE5o5fB/8VLikAJX1RrQ0nCdBu0
+/GnSuMpma6MyyD4FYCzm7tujC/Rr93/hDk300etrOe+DuEj7mjA3cudXV5EriZou
+uRp0TG4V7T0GuA1IF9mfGsBv/haMb6P8VixBtBj8pVxyeweTS0cPedBYMiOfyMR9
+geRGv/In9pyud/JnesUGKLh9HwxRaR2iSUuLMuvPSnDzQIrELZMDn5UkMJOtYWFB
+ER/8sMK9Ns47dmRM2tK1F6Di0OP0rNcg7J/ThCoJ1HWAKC46txsk8VsxQYLGM1IY
+Um3G4aK+tpiistd2gzPOe4QYN+Tc+eaoi6JR2UrMOQKBgQDkwSNtzjSZulAF0hQv
+NlQqkRIdnM/VM+Kcykb6uNjlWuSyFKKFL59Nei3Qj0K31IhU1icBCGvPhgx0fUMG
+QrbtXFpnO7ZFJtNhMyA5Yvdzw/KxW4+izy/ZxCBTLJKzCo+riCz4lN2Yfz3MVn8g
+MtIczyThPGkNyO1Pa+TPQTJmcwKBgQDZwkEfFJoXEBiu5W6gVNkW0PiTCkCeTk3/
+M4PGrLGqZd+GA9WiCGJlfCrl9K01eTyKGBIsojOU73LB+uYzTgI2HQrdkfnq7yny
+uFty63u5WCgs4cK2yR426xTjWq+266AQFIN8kK0/RUdF4QCNAyeLU0hyhpxiPwi0
++78yHBdUmQKBgQCoqaL2tkBgTFfuQrvxJ4ydKgOCY/l1SGFAm4AEIsCBMyhGCSLf
+MoKxfHFFQiu+IO04KAHwKAZdp4eNaEI/3nbDwgFB9mvoxry6ARk0Vrz+1S4fCNR6
+BWtRk+MFkGrFqfbOUYRe8FwGsWKeQ/RNiEsVRMH7dDA9IrWehn3ZNkfz8wKBgQDC
+3LgVrgPt23ObHqiORR828a1fN293ui7Fzj1/zg32o88QR+Ima0ZR9nkU6o0NKv5n
+vP6WfleWUWfp+jGBe68y6W5NtFFmULrC/wKmpd9DjoX1E9mAZBzrnBZHFWHkWJoV
+iaXYFEdUNRSAjcZGaao7XT2ZbqgGqs2J1zXTC5w9EQKBgHA0sgxTh+M+jV8kBDZo
+c1J3pF/bWMUp8DePNbwsaz6Qu9vGe7e25xJZO8PtSzHVzgahz980Y4HJzOu7pRCM
+BvERqMndDggUVLCw5irtdEqlPNUt+Bdf//xX9JiEEXuojDm0bJlxYeXWV4CVc1nI
+6BUG5sJfCeICcyKJAS6kn3KC
+-----END PRIVATE KEY-----

certs/test-serial0/root_serial0.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0
+IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE
+BhMCVVMwHhcNMjUxMjE5MjM0MDE3WhcNMzUxMjE3MjM0MDE3WjBEMR4wHAYDVQQD
+DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL
+MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrIH40
+erYfetOLROpuIy/CWwiPVyiG+FC6QiMmKOjEy0SXH5ZlxTSX/TWnhqv2KszUv1wg
+v0RtWSE+zL69VhcbIGJBXDs3CoLYIaLwUl0UnP0QKcnpiAPkTeyPh9oQq1sRCACK
+J/COuAMY04Xs8wNatTYugUZfCqi5VKigVxLngNVEruHg306sWTRVjv5BjjwvfbL4
+5XnUPs3sAQ+rD2uGLQ1TDZ07Td8nKwrUEyrdLoIxXUmMGYZnFMFN2GI1PmuJmYt+
+M+Lsi23YrobIV4OfFVoZ1Ln6kYgu/ocH/trQ32hD4P0L8tL9fZgMb5/G9LgYWTY4
+DjYdsOtBx0PAe+0DAgMBAAGjYzBhMB0GA1UdDgQWBBTKbzmfzfMDi8bSxDKvXPrV
+lJO7QTAfBgNVHSMEGDAWgBTKbzmfzfMDi8bSxDKvXPrVlJO7QTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAdNqm7c3j
+08UY1493GDDEvGmn+Qncl1thCTeFkzeI9TCmQNmjdaDR4UYxEWq81X/clpm2VzXy
+Gq0ya1NqnfcNSKS4q9VSZFx6MC2YpnK2e87flTz2386ghEHrxkp5E7ZYL6uuvk2D
+omBYoML5tESpBt3C6/564lHzebywUIUR5W2t9zQUK7Y7swGrzMnMsb+/j954S0x2
+7nB6xTsBdw2UL/h4VyIp5igC8+Zp8BoxdmGSFPQvJoTSvMS5rjmWgIhbhVIH+zvm
+ICiUA76VAZaCjq2BGKSvoGtzvADebTwEGgsF+bzB+96L/8BH2NCAsLQ8h9X507iq
+dqms0IqlEiXKfA==
+-----END CERTIFICATE-----