diff --git a/openvpn/openssl/pki/x509certinfo.hpp b/openvpn/openssl/pki/x509certinfo.hpp
index 42705ec5..61af1bbf 100644
--- a/openvpn/openssl/pki/x509certinfo.hpp
+++ b/openvpn/openssl/pki/x509certinfo.hpp
@@ -198,20 +198,18 @@ static std::string x509_get_field(::X509 *cert, const int nid)
  */
 static std::string x509_get_serial(::X509 *cert)
 {
-    ASN1_INTEGER *asn1_i;
-    BIGNUM *bignum;
-    char *openssl_serial;
-
-    asn1_i = X509_get_serialNumber(cert);
-    bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
-    openssl_serial = BN_bn2dec(bignum);
-
-    const std::string ret = openssl_serial;
-
+    const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+    BIGNUM *bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
+    char *openssl_serial = BN_bn2dec(bignum);
     BN_free(bignum);
-    OPENSSL_free(openssl_serial);
 
-    return ret;
+    if (openssl_serial)
+    {
+        const std::string ret = openssl_serial;
+        OPENSSL_free(openssl_serial);
+        return ret;
+    }
+    return std::string();
 }
 
 /**
diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
index 0a93ec7a..256fb58a 100644
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@@ -1687,9 +1687,13 @@ class OpenSSLContext : public SSLFactoryAPI
                 switch (c.type)
                 {
                 case X509Track::SERIAL:
-                    xts.emplace_back(X509Track::SERIAL,
-                                     depth,
-                                     OpenSSLPKI::x509_get_serial(cert));
+                    {
+                        std::string serial = OpenSSLPKI::x509_get_serial(cert);
+                        if (!serial.empty())
+                            xts.emplace_back(X509Track::SERIAL,
+                                             depth,
+                                             serial);
+                    }
                     break;
                 case X509Track::SERIAL_HEX:
                     xts.emplace_back(X509Track::SERIAL_HEX,