diff --git a/smx509/x509.go b/smx509/x509.go
index 457c734..b002c79 100644
--- a/smx509/x509.go
+++ b/smx509/x509.go
@@ -1286,9 +1286,13 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
 
 	// RFC 5280 Section 4.1.2.2: serial number must positive
 
+	// We _should_ also restrict serials to <= 20 octets, but it turns out a lot of people
+	// get this wrong, in part because the encoding can itself alter the length of the
+	// serial. For now we accept these non-conformant serials.
 	if template.SerialNumber.Sign() == -1 {
 		return nil, errors.New("x509: serial number must be positive")
 	}
+	
 	if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
 		return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
 	}
diff --git a/smx509/x509_test.go b/smx509/x509_test.go
index 9ca97e7..497680c 100644
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@@ -2450,9 +2450,6 @@ func TestOmitEmptyExtensions(t *testing.T) {
 	}
 }
 
-	}
-}
-
 var negativeSerialCert = `-----BEGIN CERTIFICATE-----
 MIIBBTCBraADAgECAgH/MAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAjopMB4XDTIy
 MDQxNDIzNTYwNFoXDTIyMDQxNTAxNTYwNFowDTELMAkGA1UEAxMCOikwWTATBgcq
@@ -2532,4 +2529,6 @@ func TestDuplicateExtensionsCSR(t *testing.T) {
 	}
 	_, err := ParseCertificateRequest(b.Bytes)
 	if err == nil {
-		t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
\ No newline at end of file
+		t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
+	}
+}