Anonymous - 2012-03-23

A negative serial number might be legal. I can't seem to find where its expressly prohibited.

From X.509 (http://www.itu.int/rec/T-REC-X.509):

CertificateContent ::= SEQUENCE {
...
serialNumber CertificateSerialNumber,
...
}

CertificateSerialNumber ::= INTEGER

However, RFC 5280 (http://www.rfc-editor.org/rfc/rfc5280.txt) does require the S/N to be positive:

4.1.2.2. Serial Number

The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.