Hi Svetlana According to http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
Note: Non-conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates. This means although a modern library/tool MUST NOT create negative serial numbers, it is required to support an existing certificate with a negative serial number. At least in jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java: 257 CertId cid = new CertId(chain[1], 258 new SerialNumber(chain[0].getSerialNumber())); It is reading an existing serial number. JDK is mainly about parsing certificates and if I remember correctly the only place it creates one is in keytool, and the tool has already made sure serial numbers be non-negative. I would close this bug as not-an-issue. Other suggestions are welcome. Thanks Max > On Jul 8, 2016, at 2:29 AM, Svetlana Nikandrova > <svetlana.nikandr...@oracle.com> wrote: > > Hello, > > could you please review this simple fix. > Issue: > https://bugs.openjdk.java.net/browse/JDK-8054537 > Webrev: > http://cr.openjdk.java.net/~snikandrova/8054537/webrev.00/ > <http://cr.openjdk.java.net/%7Esnikandrova/8054537/webrev.00/> > > Description: > Added check if SerialNumber constructor's parameter is negative. > > Thank you, > Svetlana > >