diff --git a/SOURCES/0034-Use-implicit-empty-FALSE-for-extensions.patch b/SOURCES/0034-Use-implicit-empty-FALSE-for-extensions.patch
new file mode 100644
index 0000000..9264e87
--- /dev/null
+++ b/SOURCES/0034-Use-implicit-empty-FALSE-for-extensions.patch
@@ -0,0 +1,280 @@
+From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 4 Oct 2021 18:52:53 +0200
+Subject: [PATCH] Use implicit, empty FALSE for extensions
+
+Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
+It was encoding extension's critical element even for default value FALSE.
+
+Fixes: https://pagure.io/certmonger/issue/223
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ src/certext.c                     |   7 +-
+ tests/003-csrgen-rsa/expected.out |  82 ++++++++++------------
+ tests/003-csrgen/expected.out     | 110 +++++++++++++-----------------
+ 3 files changed, 91 insertions(+), 108 deletions(-)
+
+diff --git a/src/certext.c b/src/certext.c
+index 0d66971e..e5e0b4dc 100644
+--- a/src/certext.c
++++ b/src/certext.c
+@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
+ 	CERTCertExtension ext[13], *exts[14], **exts_ptr;
+ 	SECOidData *oid;
+ 	SECItem *item, encoded;
++	/* X509v3 extension's critical element has an implicit default,
++	 * see https://pagure.io/certmonger/issue/223
++	 */
+ 	SECItem der_false = {
+-		.len = 1,
+-		.data = (unsigned char *) "\000",
++		.len = 0,
++		.data = NULL,
+ 	};
+ 	SECItem der_true = {
+ 		.len = 1,
+diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
+index def53fe4..0fb88323 100644
+--- a/tests/003-csrgen-rsa/expected.out
++++ b/tests/003-csrgen-rsa/expected.out
+@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
+ 4096 OK.
+ Signature OK
+ The last CSR (the one with everything) was:
+-    0:d=0  hl=4 l=1413 cons: SEQUENCE          
+-    4:d=1  hl=4 l=1133 cons: SEQUENCE          
++    0:d=0  hl=4 l=1389 cons: SEQUENCE          
++    4:d=1  hl=4 l=1109 cons: SEQUENCE          
+     8:d=2  hl=2 l=   1 prim: INTEGER           :00
+    11:d=2  hl=2 l=  22 cons: SEQUENCE          
+    13:d=3  hl=2 l=  20 cons: SET               
+@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
+    41:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
+    52:d=4  hl=2 l=   0 prim: NULL              
+    54:d=3  hl=4 l= 271 prim: BIT STRING        
+-  329:d=2  hl=4 l= 808 cons: cont [ 0 ]        
++  329:d=2  hl=4 l= 784 cons: cont [ 0 ]        
+   333:d=3  hl=2 l=  52 cons: SEQUENCE          
+   335:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
+   346:d=4  hl=2 l=  39 cons: SET               
+@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
+   389:d=4  hl=2 l=   9 prim: OBJECT            :friendlyName
+   400:d=4  hl=2 l=  48 cons: SET               
+   402:d=5  hl=2 l=  46 prim: BMPSTRING         
+-  450:d=3  hl=4 l= 687 cons: SEQUENCE          
++  450:d=3  hl=4 l= 663 cons: SEQUENCE          
+   454:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
+-  465:d=4  hl=4 l= 672 cons: SET               
+-  469:d=5  hl=4 l= 668 cons: SEQUENCE          
+-  473:d=6  hl=2 l=  14 cons: SEQUENCE          
++  465:d=4  hl=4 l= 648 cons: SET               
++  469:d=5  hl=4 l= 644 cons: SEQUENCE          
++  473:d=6  hl=2 l=  11 cons: SEQUENCE          
+   475:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
+-  480:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  483:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
+-  489:d=6  hl=4 l= 264 cons: SEQUENCE          
+-  493:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
+-  498:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  501:d=7  hl=3 l= 253 prim: OCTET STRING      [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
+-  757:d=6  hl=2 l=  32 cons: SEQUENCE          
+-  759:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
+-  764:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  767:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
+-  791:d=6  hl=2 l=  18 cons: SEQUENCE          
+-  793:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
+-  798:d=7  hl=2 l=   1 prim: BOOLEAN           :255
+-  801:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
+-  811:d=6  hl=2 l=  34 cons: SEQUENCE          
+-  813:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+-  818:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  821:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+-  847:d=6  hl=2 l=  32 cons: SEQUENCE          
+-  849:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+-  854:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  857:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+-  881:d=6  hl=2 l= 107 cons: SEQUENCE          
+-  883:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
+-  893:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  896:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+-  990:d=6  hl=2 l=  96 cons: SEQUENCE          
+-  992:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
+-  997:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1000:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+- 1088:d=6  hl=2 l=  51 cons: SEQUENCE          
+- 1090:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
+- 1101:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1104:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+- 1141:d=1  hl=2 l=  13 cons: SEQUENCE          
+- 1143:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
+- 1154:d=2  hl=2 l=   0 prim: NULL              
+- 1156:d=1  hl=4 l= 257 prim: BIT STRING        
++  480:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
++  486:d=6  hl=4 l= 261 cons: SEQUENCE          
++  490:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
++  495:d=7  hl=3 l= 253 prim: OCTET STRING      [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
++  751:d=6  hl=2 l=  29 cons: SEQUENCE          
++  753:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
++  758:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
++  782:d=6  hl=2 l=  18 cons: SEQUENCE          
++  784:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
++  789:d=7  hl=2 l=   1 prim: BOOLEAN           :255
++  792:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
++  802:d=6  hl=2 l=  31 cons: SEQUENCE          
++  804:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
++  809:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
++  835:d=6  hl=2 l=  29 cons: SEQUENCE          
++  837:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
++  842:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
++  866:d=6  hl=2 l= 104 cons: SEQUENCE          
++  868:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
++  878:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
++  972:d=6  hl=2 l=  93 cons: SEQUENCE          
++  974:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
++  979:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
++ 1067:d=6  hl=2 l=  48 cons: SEQUENCE          
++ 1069:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
++ 1080:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
++ 1117:d=1  hl=2 l=  13 cons: SEQUENCE          
++ 1119:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
++ 1130:d=2  hl=2 l=   0 prim: NULL              
++ 1132:d=1  hl=4 l= 257 prim: BIT STRING        
+ Test complete (32 combinations).
+diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
+index 46e010cf..1081a678 100644
+--- a/tests/003-csrgen/expected.out
++++ b/tests/003-csrgen/expected.out
+@@ -11,8 +11,8 @@ Signature OK
+ minicert.openssl.4096.pem: OK
+ 4096 OK.
+ The last CSR (the one with everything) was:
+-    0:d=0  hl=4 l=1635 cons: SEQUENCE          
+-    4:d=1  hl=4 l=1355 cons: SEQUENCE          
++    0:d=0  hl=4 l=1599 cons: SEQUENCE          
++    4:d=1  hl=4 l=1319 cons: SEQUENCE          
+     8:d=2  hl=2 l=   1 prim: INTEGER           :00
+    11:d=2  hl=2 l=  22 cons: SEQUENCE          
+    13:d=3  hl=2 l=  20 cons: SET               
+@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
+    41:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
+    52:d=4  hl=2 l=   0 prim: NULL              
+    54:d=3  hl=4 l= 271 prim: BIT STRING        
+-  329:d=2  hl=4 l=1030 cons: cont [ 0 ]        
++  329:d=2  hl=4 l= 994 cons: cont [ 0 ]        
+   333:d=3  hl=2 l=  52 cons: SEQUENCE          
+   335:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
+   346:d=4  hl=2 l=  39 cons: SET               
+@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
+   389:d=4  hl=2 l=   9 prim: OBJECT            :friendlyName
+   400:d=4  hl=2 l=  48 cons: SET               
+   402:d=5  hl=2 l=  46 prim: BMPSTRING         
+-  450:d=3  hl=4 l= 909 cons: SEQUENCE          
++  450:d=3  hl=4 l= 873 cons: SEQUENCE          
+   454:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
+-  465:d=4  hl=4 l= 894 cons: SET               
+-  469:d=5  hl=4 l= 890 cons: SEQUENCE          
+-  473:d=6  hl=2 l=  14 cons: SEQUENCE          
++  465:d=4  hl=4 l= 858 cons: SET               
++  469:d=5  hl=4 l= 854 cons: SEQUENCE          
++  473:d=6  hl=2 l=  11 cons: SEQUENCE          
+   475:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
+-  480:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  483:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
+-  489:d=6  hl=4 l= 290 cons: SEQUENCE          
+-  493:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
+-  498:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  501:d=7  hl=4 l= 278 prim: OCTET STRING      [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
+-  783:d=6  hl=2 l=  32 cons: SEQUENCE          
+-  785:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
+-  790:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  793:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
+-  817:d=6  hl=2 l=  18 cons: SEQUENCE          
+-  819:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
+-  824:d=7  hl=2 l=   1 prim: BOOLEAN           :255
+-  827:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
+-  837:d=6  hl=2 l=  34 cons: SEQUENCE          
+-  839:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+-  844:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  847:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+-  873:d=6  hl=2 l=  32 cons: SEQUENCE          
+-  875:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+-  880:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  883:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+-  907:d=6  hl=2 l= 107 cons: SEQUENCE          
+-  909:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
+-  919:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+-  922:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+- 1016:d=6  hl=2 l=  96 cons: SEQUENCE          
+- 1018:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
+- 1023:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1026:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+- 1114:d=6  hl=2 l= 106 cons: SEQUENCE          
+- 1116:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Freshest CRL
+- 1121:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1124:d=7  hl=2 l=  96 prim: OCTET STRING      [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
+- 1222:d=6  hl=2 l=  51 cons: SEQUENCE          
+- 1224:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
+- 1235:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1238:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+- 1275:d=6  hl=2 l=  18 cons: SEQUENCE          
+- 1277:d=7  hl=2 l=   9 prim: OBJECT            :OCSP No Check
+- 1288:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1291:d=7  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:0500
+- 1295:d=6  hl=2 l=  44 cons: SEQUENCE          
+- 1297:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.311.20.2
+- 1308:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1311:d=7  hl=2 l=  28 prim: OCTET STRING      [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
+- 1341:d=6  hl=2 l=  20 cons: SEQUENCE          
+- 1343:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Cert Type
+- 1354:d=7  hl=2 l=   1 prim: BOOLEAN           :0
+- 1357:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
+- 1363:d=1  hl=2 l=  13 cons: SEQUENCE          
+- 1365:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
+- 1376:d=2  hl=2 l=   0 prim: NULL              
+- 1378:d=1  hl=4 l= 257 prim: BIT STRING        
++  480:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
++  486:d=6  hl=4 l= 287 cons: SEQUENCE          
++  490:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
++  495:d=7  hl=4 l= 278 prim: OCTET STRING      [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
++  777:d=6  hl=2 l=  29 cons: SEQUENCE          
++  779:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
++  784:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
++  808:d=6  hl=2 l=  18 cons: SEQUENCE          
++  810:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
++  815:d=7  hl=2 l=   1 prim: BOOLEAN           :255
++  818:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
++  828:d=6  hl=2 l=  31 cons: SEQUENCE          
++  830:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
++  835:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
++  861:d=6  hl=2 l=  29 cons: SEQUENCE          
++  863:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
++  868:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
++  892:d=6  hl=2 l= 104 cons: SEQUENCE          
++  894:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
++  904:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
++  998:d=6  hl=2 l=  93 cons: SEQUENCE          
++ 1000:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
++ 1005:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
++ 1093:d=6  hl=2 l= 103 cons: SEQUENCE          
++ 1095:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Freshest CRL
++ 1100:d=7  hl=2 l=  96 prim: OCTET STRING      [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
++ 1198:d=6  hl=2 l=  48 cons: SEQUENCE          
++ 1200:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
++ 1211:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
++ 1248:d=6  hl=2 l=  15 cons: SEQUENCE          
++ 1250:d=7  hl=2 l=   9 prim: OBJECT            :OCSP No Check
++ 1261:d=7  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:0500
++ 1265:d=6  hl=2 l=  41 cons: SEQUENCE          
++ 1267:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.311.20.2
++ 1278:d=7  hl=2 l=  28 prim: OCTET STRING      [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
++ 1308:d=6  hl=2 l=  17 cons: SEQUENCE          
++ 1310:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Cert Type
++ 1321:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
++ 1327:d=1  hl=2 l=  13 cons: SEQUENCE          
++ 1329:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
++ 1340:d=2  hl=2 l=   0 prim: NULL              
++ 1342:d=1  hl=4 l= 257 prim: BIT STRING        
+ Test complete (69 combinations).
+-- 
+2.31.1
+
diff --git a/SOURCES/0035-Use-extensions-template-from-NSS.patch b/SOURCES/0035-Use-extensions-template-from-NSS.patch
new file mode 100644
index 0000000..99e98c3
--- /dev/null
+++ b/SOURCES/0035-Use-extensions-template-from-NSS.patch
@@ -0,0 +1,80 @@
+From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 4 Oct 2021 15:55:44 +0200
+Subject: [PATCH] Use extensions template from NSS
+
+Drop certmonger's custom extension template and use the sequence of X509v3
+extensions template from NSS.
+
+The certmonger template had a bug that caused certmonger to create CSRs
+with invalid DER. It was encoding extension's critical element even for
+default value FALSE.
+
+Fixes: https://pagure.io/certmonger/issue/223
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ src/certext.c | 41 +----------------------------------------
+ 1 file changed, 1 insertion(+), 40 deletions(-)
+
+diff --git a/src/certext.c b/src/certext.c
+index be536987..0d66971e 100644
+--- a/src/certext.c
++++ b/src/certext.c
+@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
+ 	{0, 0, NULL, 0},
+ };
+ 
+-/* RFC 5280, 4.1 */
+-const SEC_ASN1Template
+-cm_certext_cert_extension_template[] = {
+-	{
+-	.kind = SEC_ASN1_SEQUENCE,
+-	.offset = 0,
+-	.sub = NULL,
+-	.size = sizeof(CERTCertExtension),
+-	},
+-	{
+-	.kind = SEC_ASN1_OBJECT_ID,
+-	.offset = offsetof(CERTCertExtension, id),
+-	.sub = NULL,
+-	.size = sizeof(SECItem),
+-	},
+-	{
+-	.kind = SEC_ASN1_BOOLEAN,
+-	.offset = offsetof(CERTCertExtension, critical),
+-	.sub = NULL,
+-	.size = sizeof(SECItem),
+-	},
+-	{
+-	.kind = SEC_ASN1_OCTET_STRING,
+-	.offset = offsetof(CERTCertExtension, value),
+-	.sub = NULL,
+-	.size = sizeof(SECItem),
+-	},
+-	{0, 0, NULL, 0},
+-};
+-const SEC_ASN1Template
+-cm_certext_sequence_of_cert_extension_template[] = {
+-	{
+-	.kind = SEC_ASN1_SEQUENCE_OF,
+-	.offset = 0,
+-	.sub = cm_certext_cert_extension_template,
+-	.size = sizeof(CERTCertExtension **),
+-	},
+-};
+-
+ /* Windows 2000-style UPN */
+ static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
+ static const SECOidData oid_ms_upn_name = {
+@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
+ 	/* Encode the sequence. */
+ 	memset(&encoded, 0, sizeof(encoded));
+ 	if (i > 1) {
+-		template = cm_certext_sequence_of_cert_extension_template;
++		template = CERT_SequenceOfCertExtensionTemplate;
+ 		if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
+ 				       template) == &encoded) {
+ 			*extensions = talloc_memdup(entry, encoded.data,
+-- 
+2.31.1
+
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index d8d8f8f..47f98c6 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -26,7 +26,7 @@
 
 Name:		certmonger
 Version:	0.78.4
-Release:	16%{?dist}
+Release:	17%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -69,6 +69,8 @@ Patch0030:	0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch
 Patch0031:	0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
 Patch0032:	0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch
 Patch0033:	0033-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
+Patch0034:	0034-Use-implicit-empty-FALSE-for-extensions.patch
+Patch0035:	0035-Use-extensions-template-from-NSS.patch
 
 Patch1001:	1001-Remove-rekey-feature.patch
 Patch1002:	1002-Fix-CA-option-name-for-ipa-cert-request.patch
@@ -289,6 +291,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.78.4-17
+- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
+  with critical=FALSE (#2015511)
+
 * Mon Sep 20 2021 Rob Crittenden <rcritten@redhat.com> - 0.78.4-16
 - Fix file descriptor leak when executing CA helpers (#1992439)