diff --git a/certs/test/cert-over-max-altnames.cfg b/certs/test/cert-over-max-altnames.cfg
new file mode 100644
index 0000000000..472fa20f32
--- /dev/null
+++ b/certs/test/cert-over-max-altnames.cfg
@@ -0,0 +1,150 @@
+[ req ]
+default_bits        = 2048
+prompt              = no
+distinguished_name  = dn
+x509_extensions     = extensions
+
+[ dn ]
+C  = US
+ST = Montana
+L  = Bozeman
+O  = wolfSSL Inc
+OU = Engineering
+CN = www.wolfssl.com
+
+[ extensions ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = example1.com
+DNS.2 = example2.com
+DNS.3 = example3.com
+DNS.4 = example4.com
+DNS.5 = example5.com
+DNS.6 = example6.com
+DNS.7 = example7.com
+DNS.8 = example8.com
+DNS.9 = example9.com
+DNS.10 = example10.com
+DNS.11 = example11.com
+DNS.12 = example12.com
+DNS.13 = example13.com
+DNS.14 = example14.com
+DNS.15 = example15.com
+DNS.16 = example16.com
+DNS.17 = example17.com
+DNS.18 = example18.com
+DNS.19 = example19.com
+DNS.20 = example20.com
+DNS.21 = example21.com
+DNS.22 = example22.com
+DNS.23 = example23.com
+DNS.24 = example24.com
+DNS.25 = example25.com
+DNS.26 = example26.com
+DNS.27 = example27.com
+DNS.28 = example28.com
+DNS.29 = example29.com
+DNS.30 = example30.com
+DNS.31 = example31.com
+DNS.32 = example32.com
+DNS.33 = example33.com
+DNS.34 = example34.com
+DNS.35 = example35.com
+DNS.36 = example36.com
+DNS.37 = example37.com
+DNS.38 = example38.com
+DNS.39 = example39.com
+DNS.40 = example40.com
+DNS.41 = example41.com
+DNS.42 = example42.com
+DNS.43 = example43.com
+DNS.44 = example44.com
+DNS.45 = example45.com
+DNS.46 = example46.com
+DNS.47 = example47.com
+DNS.48 = example48.com
+DNS.49 = example49.com
+DNS.50 = example50.com
+DNS.51 = example51.com
+DNS.52 = example52.com
+DNS.53 = example53.com
+DNS.54 = example54.com
+DNS.55 = example55.com
+DNS.56 = example56.com
+DNS.57 = example57.com
+DNS.58 = example58.com
+DNS.59 = example59.com
+DNS.60 = example60.com
+DNS.61 = example61.com
+DNS.62 = example62.com
+DNS.63 = example63.com
+DNS.64 = example64.com
+DNS.65 = example65.com
+DNS.66 = example66.com
+DNS.67 = example67.com
+DNS.68 = example68.com
+DNS.69 = example69.com
+DNS.70 = example70.com
+DNS.71 = example71.com
+DNS.72 = example72.com
+DNS.73 = example73.com
+DNS.74 = example74.com
+DNS.75 = example75.com
+DNS.76 = example76.com
+DNS.77 = example77.com
+DNS.78 = example78.com
+DNS.79 = example79.com
+DNS.80 = example80.com
+DNS.81 = example81.com
+DNS.82 = example82.com
+DNS.83 = example83.com
+DNS.84 = example84.com
+DNS.85 = example85.com
+DNS.86 = example86.com
+DNS.87 = example87.com
+DNS.88 = example88.com
+DNS.89 = example89.com
+DNS.90 = example90.com
+DNS.91 = example91.com
+DNS.92 = example92.com
+DNS.93 = example93.com
+DNS.94 = example94.com
+DNS.95 = example95.com
+DNS.96 = example96.com
+DNS.97 = example97.com
+DNS.98 = example98.com
+DNS.99 = example99.com
+DNS.100 = example100.com
+DNS.101 = example101.com
+DNS.102 = example102.com
+DNS.103 = example103.com
+DNS.104 = example104.com
+DNS.105 = example105.com
+DNS.106 = example106.com
+DNS.107 = example107.com
+DNS.108 = example108.com
+DNS.109 = example109.com
+DNS.110 = example110.com
+DNS.111 = example111.com
+DNS.112 = example112.com
+DNS.113 = example113.com
+DNS.114 = example114.com
+DNS.115 = example115.com
+DNS.116 = example116.com
+DNS.117 = example117.com
+DNS.118 = example118.com
+DNS.119 = example119.com
+DNS.120 = example120.com
+DNS.121 = example121.com
+DNS.122 = example122.com
+DNS.123 = example123.com
+DNS.124 = example124.com
+DNS.125 = example125.com
+DNS.126 = example126.com
+DNS.127 = example127.com
+DNS.128 = example128.com
+DNS.129 = example129.com
+DNS.130 = example130.com
+
+
diff --git a/certs/test/cert-over-max-altnames.pem b/certs/test/cert-over-max-altnames.pem
new file mode 100644
index 0000000000..309b31ef81
--- /dev/null
+++ b/certs/test/cert-over-max-altnames.pem
@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIILZjCCCk6gAwIBAgIURc0vEAYKqmZm+uhVYVYcdTDD5jIwDQYJKoZIhvcNAQEL
+BQAwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
+emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMB4XDTI0MDUzMDAxMzQ1NloXDTI0
+MDYyOTAxMzQ1NlowdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
+BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtF
+bmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4MxlWlPvDK577o82h5LrZDs/1eFX/xEI2ICZ
+xvQ3rMm5cdUxsnYeExXMP8Fzlx4RsyYeNCJo8wdKFtTbrkyTGE1tlrQ6jZ20aYA0
+V38GkQhVNzG5EIOBm9x7Zl7L4kgJEAG0a36jOrCuP9JOxo6EtyezF+KyN9TEzxxZ
+udlaV3JoxghmvaBzRO07vmomtxwtm/5K4gM3XCcYyDhxf7J357s6Ra8nhefOT/PV
+rB/mSHUcH0nvt2mNZdJyDOUBNx0IAVL1CaJh3pT14Ql03igSbeRr7pVtiioixZTD
+xB1npmn0kgTa4zNR11EWHX0nBwEJST3QofkJA+odSFQBG1tCTQIDAQABo4IH6DCC
+B+QwggfBBgNVHREEgge4MIIHtIIMZXhhbXBsZTEuY29tggxleGFtcGxlMi5jb22C
+DGV4YW1wbGUzLmNvbYIMZXhhbXBsZTQuY29tggxleGFtcGxlNS5jb22CDGV4YW1w
+bGU2LmNvbYIMZXhhbXBsZTcuY29tggxleGFtcGxlOC5jb22CDGV4YW1wbGU5LmNv
+bYINZXhhbXBsZTEwLmNvbYINZXhhbXBsZTExLmNvbYINZXhhbXBsZTEyLmNvbYIN
+ZXhhbXBsZTEzLmNvbYINZXhhbXBsZTE0LmNvbYINZXhhbXBsZTE1LmNvbYINZXhh
+bXBsZTE2LmNvbYINZXhhbXBsZTE3LmNvbYINZXhhbXBsZTE4LmNvbYINZXhhbXBs
+ZTE5LmNvbYINZXhhbXBsZTIwLmNvbYINZXhhbXBsZTIxLmNvbYINZXhhbXBsZTIy
+LmNvbYINZXhhbXBsZTIzLmNvbYINZXhhbXBsZTI0LmNvbYINZXhhbXBsZTI1LmNv
+bYINZXhhbXBsZTI2LmNvbYINZXhhbXBsZTI3LmNvbYINZXhhbXBsZTI4LmNvbYIN
+ZXhhbXBsZTI5LmNvbYINZXhhbXBsZTMwLmNvbYINZXhhbXBsZTMxLmNvbYINZXhh
+bXBsZTMyLmNvbYINZXhhbXBsZTMzLmNvbYINZXhhbXBsZTM0LmNvbYINZXhhbXBs
+ZTM1LmNvbYINZXhhbXBsZTM2LmNvbYINZXhhbXBsZTM3LmNvbYINZXhhbXBsZTM4
+LmNvbYINZXhhbXBsZTM5LmNvbYINZXhhbXBsZTQwLmNvbYINZXhhbXBsZTQxLmNv
+bYINZXhhbXBsZTQyLmNvbYINZXhhbXBsZTQzLmNvbYINZXhhbXBsZTQ0LmNvbYIN
+ZXhhbXBsZTQ1LmNvbYINZXhhbXBsZTQ2LmNvbYINZXhhbXBsZTQ3LmNvbYINZXhh
+bXBsZTQ4LmNvbYINZXhhbXBsZTQ5LmNvbYINZXhhbXBsZTUwLmNvbYINZXhhbXBs
+ZTUxLmNvbYINZXhhbXBsZTUyLmNvbYINZXhhbXBsZTUzLmNvbYINZXhhbXBsZTU0
+LmNvbYINZXhhbXBsZTU1LmNvbYINZXhhbXBsZTU2LmNvbYINZXhhbXBsZTU3LmNv
+bYINZXhhbXBsZTU4LmNvbYINZXhhbXBsZTU5LmNvbYINZXhhbXBsZTYwLmNvbYIN
+ZXhhbXBsZTYxLmNvbYINZXhhbXBsZTYyLmNvbYINZXhhbXBsZTYzLmNvbYINZXhh
+bXBsZTY0LmNvbYINZXhhbXBsZTY1LmNvbYINZXhhbXBsZTY2LmNvbYINZXhhbXBs
+ZTY3LmNvbYINZXhhbXBsZTY4LmNvbYINZXhhbXBsZTY5LmNvbYINZXhhbXBsZTcw
+LmNvbYINZXhhbXBsZTcxLmNvbYINZXhhbXBsZTcyLmNvbYINZXhhbXBsZTczLmNv
+bYINZXhhbXBsZTc0LmNvbYINZXhhbXBsZTc1LmNvbYINZXhhbXBsZTc2LmNvbYIN
+ZXhhbXBsZTc3LmNvbYINZXhhbXBsZTc4LmNvbYINZXhhbXBsZTc5LmNvbYINZXhh
+bXBsZTgwLmNvbYINZXhhbXBsZTgxLmNvbYINZXhhbXBsZTgyLmNvbYINZXhhbXBs
+ZTgzLmNvbYINZXhhbXBsZTg0LmNvbYINZXhhbXBsZTg1LmNvbYINZXhhbXBsZTg2
+LmNvbYINZXhhbXBsZTg3LmNvbYINZXhhbXBsZTg4LmNvbYINZXhhbXBsZTg5LmNv
+bYINZXhhbXBsZTkwLmNvbYINZXhhbXBsZTkxLmNvbYINZXhhbXBsZTkyLmNvbYIN
+ZXhhbXBsZTkzLmNvbYINZXhhbXBsZTk0LmNvbYINZXhhbXBsZTk1LmNvbYINZXhh
+bXBsZTk2LmNvbYINZXhhbXBsZTk3LmNvbYINZXhhbXBsZTk4LmNvbYINZXhhbXBs
+ZTk5LmNvbYIOZXhhbXBsZTEwMC5jb22CDmV4YW1wbGUxMDEuY29tgg5leGFtcGxl
+MTAyLmNvbYIOZXhhbXBsZTEwMy5jb22CDmV4YW1wbGUxMDQuY29tgg5leGFtcGxl
+MTA1LmNvbYIOZXhhbXBsZTEwNi5jb22CDmV4YW1wbGUxMDcuY29tgg5leGFtcGxl
+MTA4LmNvbYIOZXhhbXBsZTEwOS5jb22CDmV4YW1wbGUxMTAuY29tgg5leGFtcGxl
+MTExLmNvbYIOZXhhbXBsZTExMi5jb22CDmV4YW1wbGUxMTMuY29tgg5leGFtcGxl
+MTE0LmNvbYIOZXhhbXBsZTExNS5jb22CDmV4YW1wbGUxMTYuY29tgg5leGFtcGxl
+MTE3LmNvbYIOZXhhbXBsZTExOC5jb22CDmV4YW1wbGUxMTkuY29tgg5leGFtcGxl
+MTIwLmNvbYIOZXhhbXBsZTEyMS5jb22CDmV4YW1wbGUxMjIuY29tgg5leGFtcGxl
+MTIzLmNvbYIOZXhhbXBsZTEyNC5jb22CDmV4YW1wbGUxMjUuY29tgg5leGFtcGxl
+MTI2LmNvbYIOZXhhbXBsZTEyNy5jb22CDmV4YW1wbGUxMjguY29tgg5leGFtcGxl
+MTI5LmNvbYIOZXhhbXBsZTEzMC5jb20wHQYDVR0OBBYEFLbtWbf+CESA0Xfsii18
+98iIet9AMA0GCSqGSIb3DQEBCwUAA4IBAQBCY+SvA+JFFZ1NwwEBcl5BDbTjTAgt
+w+xlEK71C+KUdvFuMMftDjaESOTJXEsimz5TuYhCMmQwQJMTlaEuZnzyCetuyBwJ
+eRAFopo4xRhJKQ6okJlOANPlmXehuPS+niiMMGxqBOjVyvPFZpdnj0oa6Mz/ewuP
+gNlsLUUrA6YQZNGYq9rDb4r2CCtD+10xkUg1Pu+2eRHBkYP9VSJOvWTVLMj/mPwN
+mh/pAxg50fl/t+m181AOu8KpIen3++54ljgo0v/O3SyO0d5zq8+vSTpjkfX3LPjH
+DFyofMjOQ7lFnr7uwY9jmj//GUUg3nULmItMhcEJ3XE9ySoEwfP35OWC
+-----END CERTIFICATE-----
diff --git a/certs/test/cert-over-max-nc.cfg b/certs/test/cert-over-max-nc.cfg
new file mode 100644
index 0000000000..21bdebeabf
--- /dev/null
+++ b/certs/test/cert-over-max-nc.cfg
@@ -0,0 +1,61 @@
+[ req ]
+default_bits        = 2048
+prompt              = no
+distinguished_name  = dn
+x509_extensions     = extensions
+
+[ dn ]
+C  = US
+ST = Montana
+L  = Bozeman
+O  = wolfSSL Inc
+OU = Engineering
+CN = www.wolfssl.com
+
+[ extensions ]
+basicConstraints=critical,CA:true
+nameConstraints = permitted;DNS:.ex1.com,permitted;DNS:.ex2.com,permitted;\
+DNS:.ex3.com,permitted;DNS:.ex4.com,permitted;DNS:.ex5.com,permitted;\
+DNS:.ex6.com,permitted;DNS:.ex7.com,permitted;DNS:.ex8.com,permitted;\
+DNS:.ex9.com,permitted;DNS:.ex10.com,permitted;DNS:.ex11.com,permitted;\
+DNS:.ex12.com,permitted;DNS:.ex13.com,permitted;DNS:.ex14.com,permitted;\
+DNS:.ex15.com,permitted;DNS:.ex16.com,permitted;DNS:.ex17.com,permitted;\
+DNS:.ex18.com,permitted;DNS:.ex19.com,permitted;DNS:.ex20.com,permitted;\
+DNS:.ex21.com,permitted;DNS:.ex22.com,permitted;DNS:.ex23.com,permitted;\
+DNS:.ex24.com,permitted;DNS:.ex25.com,permitted;DNS:.ex26.com,permitted;\
+DNS:.ex27.com,permitted;DNS:.ex28.com,permitted;DNS:.ex29.com,permitted;\
+DNS:.ex30.com,permitted;DNS:.ex31.com,permitted;DNS:.ex32.com,permitted;\
+DNS:.ex33.com,permitted;DNS:.ex34.com,permitted;DNS:.ex35.com,permitted;\
+DNS:.ex36.com,permitted;DNS:.ex37.com,permitted;DNS:.ex38.com,permitted;\
+DNS:.ex39.com,permitted;DNS:.ex40.com,permitted;DNS:.ex41.com,permitted;\
+DNS:.ex42.com,permitted;DNS:.ex43.com,permitted;DNS:.ex44.com,permitted;\
+DNS:.ex45.com,permitted;DNS:.ex46.com,permitted;DNS:.ex47.com,permitted;\
+DNS:.ex48.com,permitted;DNS:.ex49.com,permitted;DNS:.ex50.com,permitted;\
+DNS:.ex51.com,permitted;DNS:.ex52.com,permitted;DNS:.ex53.com,permitted;\
+DNS:.ex54.com,permitted;DNS:.ex55.com,permitted;DNS:.ex56.com,permitted;\
+DNS:.ex57.com,permitted;DNS:.ex58.com,permitted;DNS:.ex59.com,permitted;\
+DNS:.ex60.com,permitted;DNS:.ex61.com,permitted;DNS:.ex62.com,permitted;\
+DNS:.ex63.com,permitted;DNS:.ex64.com,permitted;DNS:.ex65.com,permitted;\
+DNS:.ex66.com,permitted;DNS:.ex67.com,permitted;DNS:.ex68.com,permitted;\
+DNS:.ex69.com,permitted;DNS:.ex70.com,permitted;DNS:.ex71.com,permitted;\
+DNS:.ex72.com,permitted;DNS:.ex73.com,permitted;DNS:.ex74.com,permitted;\
+DNS:.ex75.com,permitted;DNS:.ex76.com,permitted;DNS:.ex77.com,permitted;\
+DNS:.ex78.com,permitted;DNS:.ex79.com,permitted;DNS:.ex80.com,permitted;\
+DNS:.ex81.com,permitted;DNS:.ex82.com,permitted;DNS:.ex83.com,permitted;\
+DNS:.ex84.com,permitted;DNS:.ex85.com,permitted;DNS:.ex86.com,permitted;\
+DNS:.ex87.com,permitted;DNS:.ex88.com,permitted;DNS:.ex89.com,permitted;\
+DNS:.ex90.com,permitted;DNS:.ex91.com,permitted;DNS:.ex92.com,permitted;\
+DNS:.ex93.com,permitted;DNS:.ex94.com,permitted;DNS:.ex95.com,permitted;\
+DNS:.ex96.com,permitted;DNS:.ex97.com,permitted;DNS:.ex98.com,permitted;\
+DNS:.ex99.com,permitted;DNS:.ex100.com,permitted;DNS:.ex101.com,permitted;\
+DNS:.ex102.com,permitted;DNS:.ex103.com,permitted;DNS:.ex104.com,permitted;\
+DNS:.ex105.com,permitted;DNS:.ex106.com,permitted;DNS:.ex107.com,permitted;\
+DNS:.ex108.com,permitted;DNS:.ex109.com,permitted;DNS:.ex110.com,permitted;\
+DNS:.ex111.com,permitted;DNS:.ex112.com,permitted;DNS:.ex113.com,permitted;\
+DNS:.ex114.com,permitted;DNS:.ex115.com,permitted;DNS:.ex116.com,permitted;\
+DNS:.ex117.com,permitted;DNS:.ex118.com,permitted;DNS:.ex119.com,permitted;\
+DNS:.ex120.com,permitted;DNS:.ex121.com,permitted;DNS:.ex122.com,permitted;\
+DNS:.ex123.com,permitted;DNS:.ex124.com,permitted;DNS:.ex125.com,permitted;\
+DNS:.ex126.com,permitted;DNS:.ex127.com,permitted;DNS:.ex128.com,permitted;\
+DNS:.ex129.com,permitted;DNS:.ex130.com
+
diff --git a/certs/test/cert-over-max-nc.pem b/certs/test/cert-over-max-nc.pem
new file mode 100644
index 0000000000..5fb42bf525
--- /dev/null
+++ b/certs/test/cert-over-max-nc.pem
@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIKdzCCCV+gAwIBAgIUP2BNrIrxeGGYtoPzcrEMcF8RDbEwDQYJKoZIhvcNAQEL
+BQAwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv
+emVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMB4XDTI0MDUzMDAxNTE0M1oXDTI0
+MDYyOTAxNTE0M1owdzELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
+BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZTU0wgSW5jMRQwEgYDVQQLDAtF
+bmdpbmVlcmluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7XMOFVWne2YJvHK9odaZiLSFJ5l9FJqKLnc
+VDPPjM++SdO/dU8/hO/e1B5r88NtXFJHztMbekIIQd7f0T3Lwru/FRkmqI3Q2Z5V
+SYLJbrI3EiVg4eG07MI2DhHWg9cMnfENzYk4Q/Zhd2cGCsJUW4S37ye+M+VXDtlb
+ZkQVN19uqrxmZESqVpa05AjsJcbVMwb4++ZkhXLrs0eUcLQpZxWehTvKO/FgcFbD
+6kNkTBBNf3c/5AQCLugSLUGn1RgbNt9sBZ6zZPM3UOgeREfEcb5+B61RGQD/SMCR
+o+VEMCkGmWw8b3B7tyRXweuHBZ5I+AOw9QHb7F5tkT8ih5FUrwIDAQABo4IG+TCC
+BvUwDwYDVR0TAQH/BAUwAwEB/zCCBsEGA1UdHgSCBrgwgga0oIIGsDAKggguZXgx
+LmNvbTAKggguZXgyLmNvbTAKggguZXgzLmNvbTAKggguZXg0LmNvbTAKggguZXg1
+LmNvbTAKggguZXg2LmNvbTAKggguZXg3LmNvbTAKggguZXg4LmNvbTAKggguZXg5
+LmNvbTALggkuZXgxMC5jb20wC4IJLmV4MTEuY29tMAuCCS5leDEyLmNvbTALggku
+ZXgxMy5jb20wC4IJLmV4MTQuY29tMAuCCS5leDE1LmNvbTALggkuZXgxNi5jb20w
+C4IJLmV4MTcuY29tMAuCCS5leDE4LmNvbTALggkuZXgxOS5jb20wC4IJLmV4MjAu
+Y29tMAuCCS5leDIxLmNvbTALggkuZXgyMi5jb20wC4IJLmV4MjMuY29tMAuCCS5l
+eDI0LmNvbTALggkuZXgyNS5jb20wC4IJLmV4MjYuY29tMAuCCS5leDI3LmNvbTAL
+ggkuZXgyOC5jb20wC4IJLmV4MjkuY29tMAuCCS5leDMwLmNvbTALggkuZXgzMS5j
+b20wC4IJLmV4MzIuY29tMAuCCS5leDMzLmNvbTALggkuZXgzNC5jb20wC4IJLmV4
+MzUuY29tMAuCCS5leDM2LmNvbTALggkuZXgzNy5jb20wC4IJLmV4MzguY29tMAuC
+CS5leDM5LmNvbTALggkuZXg0MC5jb20wC4IJLmV4NDEuY29tMAuCCS5leDQyLmNv
+bTALggkuZXg0My5jb20wC4IJLmV4NDQuY29tMAuCCS5leDQ1LmNvbTALggkuZXg0
+Ni5jb20wC4IJLmV4NDcuY29tMAuCCS5leDQ4LmNvbTALggkuZXg0OS5jb20wC4IJ
+LmV4NTAuY29tMAuCCS5leDUxLmNvbTALggkuZXg1Mi5jb20wC4IJLmV4NTMuY29t
+MAuCCS5leDU0LmNvbTALggkuZXg1NS5jb20wC4IJLmV4NTYuY29tMAuCCS5leDU3
+LmNvbTALggkuZXg1OC5jb20wC4IJLmV4NTkuY29tMAuCCS5leDYwLmNvbTALggku
+ZXg2MS5jb20wC4IJLmV4NjIuY29tMAuCCS5leDYzLmNvbTALggkuZXg2NC5jb20w
+C4IJLmV4NjUuY29tMAuCCS5leDY2LmNvbTALggkuZXg2Ny5jb20wC4IJLmV4Njgu
+Y29tMAuCCS5leDY5LmNvbTALggkuZXg3MC5jb20wC4IJLmV4NzEuY29tMAuCCS5l
+eDcyLmNvbTALggkuZXg3My5jb20wC4IJLmV4NzQuY29tMAuCCS5leDc1LmNvbTAL
+ggkuZXg3Ni5jb20wC4IJLmV4NzcuY29tMAuCCS5leDc4LmNvbTALggkuZXg3OS5j
+b20wC4IJLmV4ODAuY29tMAuCCS5leDgxLmNvbTALggkuZXg4Mi5jb20wC4IJLmV4
+ODMuY29tMAuCCS5leDg0LmNvbTALggkuZXg4NS5jb20wC4IJLmV4ODYuY29tMAuC
+CS5leDg3LmNvbTALggkuZXg4OC5jb20wC4IJLmV4ODkuY29tMAuCCS5leDkwLmNv
+bTALggkuZXg5MS5jb20wC4IJLmV4OTIuY29tMAuCCS5leDkzLmNvbTALggkuZXg5
+NC5jb20wC4IJLmV4OTUuY29tMAuCCS5leDk2LmNvbTALggkuZXg5Ny5jb20wC4IJ
+LmV4OTguY29tMAuCCS5leDk5LmNvbTAMggouZXgxMDAuY29tMAyCCi5leDEwMS5j
+b20wDIIKLmV4MTAyLmNvbTAMggouZXgxMDMuY29tMAyCCi5leDEwNC5jb20wDIIK
+LmV4MTA1LmNvbTAMggouZXgxMDYuY29tMAyCCi5leDEwNy5jb20wDIIKLmV4MTA4
+LmNvbTAMggouZXgxMDkuY29tMAyCCi5leDExMC5jb20wDIIKLmV4MTExLmNvbTAM
+ggouZXgxMTIuY29tMAyCCi5leDExMy5jb20wDIIKLmV4MTE0LmNvbTAMggouZXgx
+MTUuY29tMAyCCi5leDExNi5jb20wDIIKLmV4MTE3LmNvbTAMggouZXgxMTguY29t
+MAyCCi5leDExOS5jb20wDIIKLmV4MTIwLmNvbTAMggouZXgxMjEuY29tMAyCCi5l
+eDEyMi5jb20wDIIKLmV4MTIzLmNvbTAMggouZXgxMjQuY29tMAyCCi5leDEyNS5j
+b20wDIIKLmV4MTI2LmNvbTAMggouZXgxMjcuY29tMAyCCi5leDEyOC5jb20wDIIK
+LmV4MTI5LmNvbTAMggouZXgxMzAuY29tMB0GA1UdDgQWBBRZqhZL7IEF/o83ZyxK
+Djw6be/2ozANBgkqhkiG9w0BAQsFAAOCAQEAPObXW1f+7VAT0SUE6fLpqmP1y1PY
+z5oePRsiRPrM8tbgu2DESGwcHeapCtIPXLPbf1pW3yYqTGtgIrO2IqBZmVWIk3YT
+OSp4RrZDH55soOr2g6KP5RpjE6kWU5XkVxbQNLHlwRgnpQcDgVoOgIDtxpVgpXs1
+OCdNe1sdQbPbI8ciIayJJl7bEv52BjrmjYhCWCPXDBspwLhafwFzorHDj8QiYbWo
+6QH1TQakxjo3Nbceax7D2LT2Aev/cMw8GqR/wykLj1EEYzdB644OYwEfdRf5RwJg
+CkaQE7FWVpdVcoJnXIa8/iATpTLYuYeolpDLXJe2Eqb3SegTp6wL4x1Bzg==
+-----END CERTIFICATE-----
diff --git a/certs/test/include.am b/certs/test/include.am
index ed03557abe..59569c92c0 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -32,7 +32,11 @@ EXTRA_DIST += \
          certs/test/cert-ext-multiple.pem \
          certs/test/cert-bad-neg-int.der \
          certs/test/cert-bad-oid.der \
-         certs/test/cert-bad-utf8.der
+         certs/test/cert-bad-utf8.der \
+         certs/test/cert-over-max-altnames.cfg \
+         certs/test/cert-over-max-altnames.pem \
+         certs/test/cert-over-max-nc.cfg \
+         certs/test/cert-over-max-nc.pem
 
 # The certs/server-cert with the last byte (signature byte) changed
 EXTRA_DIST += \
diff --git a/tests/api.c b/tests/api.c
index 785924a16a..e228f5fe08 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -41261,6 +41261,62 @@ static int test_wolfSSL_X509_bad_altname(void)
     return EXPECT_RESULT();
 }
 
+static int test_wolfSSL_X509_max_altnames(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA)
+
+    /* Only test if max alt names has not been modified */
+#if WOLFSSL_MAX_ALT_NAMES == 128
+
+    WOLFSSL_CTX* ctx = NULL;
+    /* File contains a certificate encoded with 130 subject alternative names */
+    const char* over_max_altnames_cert = \
+        "./certs/test/cert-over-max-altnames.pem";
+
+#ifndef NO_WOLFSSL_SERVER
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+#else
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+#endif
+
+    ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx,
+            over_max_altnames_cert, NULL, WOLFSSL_LOAD_FLAG_NONE),
+            WOLFSSL_SUCCESS);
+    wolfSSL_CTX_free(ctx);
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+
+static int test_wolfSSL_X509_max_name_constraints(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+    !defined(IGNORE_NAME_CONSTRAINTS)
+
+    /* Only test if max name constraints has not been modified */
+#if WOLFSSL_MAX_NAME_CONSTRAINTS == 128
+
+    WOLFSSL_CTX* ctx = NULL;
+    /* File contains a certificate with 130 name constraints */
+    const char* over_max_nc = "./certs/test/cert-over-max-nc.pem";
+
+#ifndef NO_WOLFSSL_SERVER
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+#else
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+#endif
+
+    ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, over_max_nc,
+            NULL, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
+    wolfSSL_CTX_free(ctx);
+#endif
+
+#endif
+    return EXPECT_RESULT();
+}
+
 static int test_wolfSSL_X509(void)
 {
     EXPECT_DECLS;
@@ -72838,6 +72894,8 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_X509_check_ca),
     TEST_DECL(test_wolfSSL_X509_check_ip_asc),
     TEST_DECL(test_wolfSSL_X509_bad_altname),
+    TEST_DECL(test_wolfSSL_X509_max_altnames),
+    TEST_DECL(test_wolfSSL_X509_max_name_constraints),
     TEST_DECL(test_wolfSSL_make_cert),
 
 #ifndef NO_BIO
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index f5ed8804ff..743b4d4bac 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -18944,6 +18944,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
     word32 idx = 0;
     int length = 0;
     int ret = 0;
+    word32 numNames = 0;
 
     WOLFSSL_ENTER("DecodeAltNames");
 
@@ -18976,6 +18977,13 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
     while ((ret == 0) && (idx < sz)) {
         ASNGetData dataASN[altNameASN_Length];
 
+        numNames++;
+        if (numNames > WOLFSSL_MAX_ALT_NAMES) {
+            WOLFSSL_MSG("\tToo many subject alternative names");
+            ret = ASN_ALT_NAME_E;
+            break;
+        }
+
         /* Clear dynamic data items. */
         XMEMSET(dataASN, 0, sizeof(dataASN));
         /* Parse GeneralName with the choices supported. */
@@ -20086,13 +20094,16 @@ static int DecodeSubtreeGeneralName(const byte* input, word32 sz, byte tag,
  * @param [in]      input  Buffer holding data.
  * @param [in]      sz     Size of data in buffer.
  * @param [in, out] head   Linked list of subtree names.
+ * @param [in]      limit  If > 0, limit on number of tree
+ *                         entries to  process, exceeding
+ *                         is an error.
  * @param [in]      heap   Dynamic memory hint.
  * @return  0 on success.
  * @return  MEMORY_E when dynamic memory allocation fails.
  * @return  ASN_PARSE_E when SEQUENCE is not found as expected.
  */
 static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
-                         void* heap)
+                         word32 limit, void* heap)
 {
 #ifndef WOLFSSL_ASN_TEMPLATE
     word32 idx = 0;
@@ -20170,6 +20181,7 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
     DECL_ASNGETDATA(dataASN, subTreeASN_Length);
     word32 idx = 0;
     int ret = 0;
+    word32 cnt = 0;
 
     (void)heap;
 
@@ -20179,6 +20191,14 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
     while ((ret == 0) && (idx < (word32)sz)) {
         byte minVal = 0;
         byte maxVal = 0;
+        if (limit > 0) {
+            cnt++;
+            if (cnt > limit) {
+                WOLFSSL_MSG("too many name constraints");
+                ret = ASN_NAME_INVALID_E;
+                break;
+            }
+        }
 
         /* Clear dynamic data and set choice for GeneralName and location to
          * store minimum and maximum.
@@ -20277,7 +20297,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
         }
 
         if (DecodeSubtree(input + idx, (word32)length, subtree,
-                cert->heap) < 0) {
+                WOLFSSL_MAX_NAME_CONSTRAINTS, cert->heap) < 0) {
             WOLFSSL_MSG("\terror parsing subtree");
             return ASN_PARSE_E;
         }
@@ -20304,7 +20324,8 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
             ret = DecodeSubtree(
                     dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.data,
                     dataASN[NAMECONSTRAINTSASN_IDX_PERMIT].data.ref.length,
-                    &cert->permittedNames, cert->heap);
+                    &cert->permittedNames, WOLFSSL_MAX_NAME_CONSTRAINTS,
+                    cert->heap);
         }
     }
     if (ret == 0) {
@@ -20313,7 +20334,8 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
             ret = DecodeSubtree(
                     dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.data,
                     dataASN[NAMECONSTRAINTSASN_IDX_EXCLUDE].data.ref.length,
-                    &cert->excludedNames, cert->heap);
+                    &cert->excludedNames, WOLFSSL_MAX_NAME_CONSTRAINTS,
+                    cert->heap);
         }
     }
 
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index d848dbc4dc..6a32bf8cd9 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -780,6 +780,20 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[];
     #define WOLFSSL_TLS_FEATURE_SUM 92
 #endif
 
+/* Maximum number of allowed subject alternative names in a certificate.
+ * Any certificate containing more than this number of subject
+ * alternative names will cause an error when attempting to parse. */
+#ifndef WOLFSSL_MAX_ALT_NAMES
+#define WOLFSSL_MAX_ALT_NAMES 128
+#endif
+
+/* Maximum number of allowed name constraints in a certificate.
+ * Any certificate containing more than this number of name constraints
+ * will cause an error when attempting to parse. */
+#ifndef WOLFSSL_MAX_NAME_CONSTRAINTS
+#define WOLFSSL_MAX_NAME_CONSTRAINTS 128
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 /* NIDs */
 #define NID_undef 0