Anonymous - 2012-03-23

A negative serial number might be legal. I can't seem to find where its expressly prohibited.

From X.509 (

CertificateContent ::= SEQUENCE {
serialNumber CertificateSerialNumber,

CertificateSerialNumber ::= INTEGER

However, RFC 5280 ( does require the S/N to be positive: Serial Number

The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative