diff --git a/certidude/api/ocsp.py b/certidude/api/ocsp.py
index 0d34d89..179fc06 100644
--- a/certidude/api/ocsp.py
+++ b/certidude/api/ocsp.py
@@ -50,6 +50,7 @@ class OCSPResource(AuthorityHandler):
         responses = []
         for item in ocsp_req["tbs_request"]["request_list"]:
             serial = item["req_cert"]["serial_number"].native
+            assert serial > 0, "Serial number correctness check failed"
 
             try:
                 link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial))
diff --git a/certidude/authority.py b/certidude/authority.py
index 2740a77..d50dd63 100644
--- a/certidude/authority.py
+++ b/certidude/authority.py
@@ -380,7 +380,7 @@ def _sign(csr, buf, skip_notify=False, skip_push=False, overwrite=False, profile
     builder = CertificateBuilder(dn, csr_pubkey)
     builder.serial_number = random.randint(
         0x1000000000000000000000000000000000000000,
-        0xffffffffffffffffffffffffffffffffffffffff)
+        0x7fffffffffffffffffffffffffffffffffffffff)
 
     now = datetime.utcnow()
     builder.begin_date = now - timedelta(minutes=5)