Comment 39 for bug 741528

Bob would be able to explain the issue with the leading zeros better, I'll try to repeat what he said.

It depends on whether using a signed vs. an unsigned variable to the decoding of the serial number. The serial number is DER encoded. The raw encoding sometimes takes up 17 bytes, when having a 16 bytes serial number with the highest bit set.

(Don't ask me why that is, it appears to be an implementation detail/behaviour of the encoders/decoders used.)

We see a leading zero for all serial numbers that start with hex 8 or higher. No leading zero for 7 or lower.

While discussing/reviewing the patch, Bob suggested, stripping the initial zeros will always make it work.

Since Bob is the expert with properties of certificates and serial numbers, I also conclude he is sure that stripping leading zeros is fine. The answer to comment 32 is yes. Serial numbers are really numbers, not byte arrays.