diff --git a/src/x509.c b/src/x509.c
index b4ad4df2b6..e550a1ea6f 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -5851,16 +5851,16 @@ static struct acert_dir_print_t acert_dir_print[ACERT_NUM_DIR_TAGS] =
  * Returns total_len of str on success.
  * Returns < 0 on failure.
  * */
-static int X509PrintDirType(char * dst, word32 max_len, const DNS_entry * entry)
+static int X509PrintDirType(char * dst, int max_len, const DNS_entry * entry)
 {
-    word32       k = 0;
-    word32       i = 0;
+    int          k = 0;
+    int          i = 0;
     const char * src = entry->name;
-    word32       src_len = XSTRLEN(src);
-    word32       total_len = 0;
-    word32       bytes_left = max_len;
-    word32       fld_len = 0;
-    word32       match_found = 0;
+    int          src_len = XSTRLEN(src);
+    int          total_len = 0;
+    int          bytes_left = max_len;
+    int          fld_len = 0;
+    int          match_found = 0;
 
     XMEMSET(dst, 0, max_len);
 
@@ -5888,6 +5888,11 @@ static int X509PrintDirType(char * dst, word32 max_len, const DNS_entry * entry)
                 fld_len = src[i + 4];
                 i += 5;
 
+                if ((int) XSTRLEN(pfx) > bytes_left) {
+                    /* Not enough space left. */
+                    break;
+                }
+
                 XSTRNCPY(dst, pfx, bytes_left);
                 dst += XSTRLEN(pfx);
                 total_len += XSTRLEN(pfx);
@@ -5909,7 +5914,7 @@ static int X509PrintDirType(char * dst, word32 max_len, const DNS_entry * entry)
         }
     }
 
-    return 0;
+    return total_len;
 }
 
 static int X509_ACERT_print_name_entry(WOLFSSL_BIO* bio,
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index c9af5d3caa..722065b6ea 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -41018,8 +41018,8 @@ int ParseX509Acert(DecodedAcert* acert, int verify)
  * @param [in]      sig           the parsed signature
  * @param [in]      sigSz         the parsed signature length
  * @param [in]      sigOID        the parsed signature OID
- * @param [in]      sigParams     the parsed signature params
- * @param [in]      sigParamsSz   the parsed signature params length
+ * @param [in]      sigParams     the parsed signature RSA-PSS params
+ * @param [in]      sigParamsSz   the parsed signature RSA-PSS params length
  * @param [in]      heap          heap hint
  *
  * @return  0   on verify success
@@ -41054,7 +41054,7 @@ static int acert_sig_verify(const byte * acinfo, word32 acinfoSz,
                            (word32)pubKeyOID, sig, sigSz, sigOID,
                            sigParams, sigParamsSz, NULL);
 
-    if (ret == ASN_SIG_CONFIRM_E) {
+    if (ret == WC_NO_ERR_TRACE(ASN_SIG_CONFIRM_E)) {
         WOLFSSL_MSG("info: VerifyX509Acert: confirm signature failed");
     }
 
@@ -41064,10 +41064,6 @@ static int acert_sig_verify(const byte * acinfo, word32 acinfoSz,
     sigCtx = NULL;
     #endif
 
-    /* todo: RSA PSS support. */
-    (void) sigParams;
-    (void) sigParamsSz;
-
     return ret;
 }
 
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 0d89323874..cc7073101c 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -2323,8 +2323,8 @@ WOLFSSL_ASN_API int GetASNInt(const byte* input, word32* inOutIdx, int* len,
     WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
         word16* out, word32* outSz);
 #endif
-WOLFSSL_ASN_API int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
-                                   word32 maxIdx);
+WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
+                                 word32 maxIdx);
 WOLFSSL_LOCAL int SetObjectId(int len, byte* output);
 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
                               word32 oidType, word32 maxIdx);
@@ -2332,8 +2332,8 @@ WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
                            word32 oidType, word32 maxIdx);
 WOLFSSL_LOCAL int GetAlgoIdEx(const byte* input, word32* inOutIdx, word32* oid,
                      word32 oidType, word32 maxIdx, byte *absentParams);
-WOLFSSL_LOCAL int GetASNTag(const byte* input, word32* idx, byte* tag,
-                            word32 inputSz);
+WOLFSSL_ASN_API int GetASNTag(const byte* input, word32* idx, byte* tag,
+                              word32 inputSz);
 WOLFSSL_LOCAL int GetASN_BitString(const byte* input, word32 idx, int length);
 
 WOLFSSL_LOCAL word32 SetASNLength(word32 length, byte* output);
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 8dab3eea87..4856ffab93 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2987,6 +2987,11 @@ extern void uITRON4_free(void *p) ;
     /* Extended Key Usage */
     #undef  WOLFSSL_EKU_OID
     #define WOLFSSL_EKU_OID
+
+    /* Attribute Certificate support */
+    #if defined(WOLFSSL_ASN_TEMPLATE) && !defined(WOLFSSL_ACERT)
+        #define WOLFSSL_ACERT
+    #endif
 #endif
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \