diff --git a/CHANGES b/CHANGES
index 9d96037cd4d164a80de2964a2aaf3d70c42a50d7..cb4ec5b3e82866e7865f030648f2552dcaf3701a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
+     for the first serial number and places 2 in the serial number file. This
+     avoids problems when the root CA is created with serial number zero and
+     the first user certificate has the same issuer name and serial number
+     as the root CA.
+     [Steve Henson]
+
   *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
      the new code. Add documentation for this stuff.
      [Steve Henson]
diff --git a/apps/x509.c b/apps/x509.c
index 62982e42271a8564baaa158b4c62ef9dcadf3b04..c5b163ea7079d38ada5a744df3f5e2ba8e1cdd37 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -943,8 +943,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 			}
 		else
 			{
-			ASN1_INTEGER_set(bs,0);
-			BN_zero(serial);
+			ASN1_INTEGER_set(bs,1);
+			BN_one(serial);
 			}
 		}
 	else 
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 52ac949b18816baf4b4572e032931d79c46712e7..52c3589e7b6c96697dcf415b6894175246e902ed 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -311,8 +311,9 @@ The default filename consists of the CA certificate file base name with
 =item B<-CAcreateserial filename>
 
 with this option the CA serial number file is created if it does not exist:
-it will contain the serial number "01". Normally if the B<-CA> option is
-specified and the serial number file does not exist it is an error.
+it will contain the serial number "02" and the certificate being signed will
+have the 1 as its serial number. Normally if the B<-CA> option is specified
+and the serial number file does not exist it is an error.
 
 =item B<-extfile filename>