diff --git a/certs/test/cert-ext-ndir.cfg b/certs/test/cert-ext-ndir.cfg
new file mode 100644
index 000000000..0757874d8
--- /dev/null
+++ b/certs/test/cert-ext-ndir.cfg
@@ -0,0 +1,23 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = constraints
+
+[ req_distinguished_name ]
+C             = US
+ST            = Montana
+L             = Bozeman
+O             = Sawtooth
+OU            = Consulting
+CN            = www.wolfssl.com
+emailAddress  = info@wolfsssl.com
+
+[constraints]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=CA:TRUE
+nameConstraints=critical,permitted;dirName:dir_name
+
+[dir_name]
+countryName = US
+
diff --git a/certs/test/cert-ext-ndir.der b/certs/test/cert-ext-ndir.der
new file mode 100644
index 000000000..63f566bfc
Binary files /dev/null and b/certs/test/cert-ext-ndir.der differ
diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index 10b887133..65ce2124c 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -2,8 +2,9 @@
 
 TMP="/tmp/`basename $0`"
 
+KEY=certs/server-key.der
 gen_cert() {
-    openssl req -x509 -keyform DER -key certs/server-key.der \
+    openssl req -x509 -keyform DER -key $KEY \
       -days 1000 -new -outform DER -out $OUT -config $CONFIG \
         >$TMP 2>&1
 
@@ -96,3 +97,34 @@ nsComment        = "Testing Netscape Certificate Type"
 EOF
 gen_cert
 
+KEY=certs/ca-key.der
+OUT=certs/test/cert-ext-ndir.der
+KEYFILE=certs/ca-key.der
+CONFIG=certs/test/cert-ext-ndir.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = constraints
+
+[ req_distinguished_name ]
+C             = US
+ST            = Montana
+L             = Bozeman
+O             = Sawtooth
+OU            = Consulting
+CN            = www.wolfssl.com
+emailAddress  = info@wolfsssl.com
+
+[constraints]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=CA:TRUE
+nameConstraints=critical,permitted;dirName:dir_name
+
+[dir_name]
+countryName = US
+
+EOF
+gen_cert
+
diff --git a/certs/test/include.am b/certs/test/include.am
index 6f37df6d2..ca9822032 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -9,6 +9,8 @@ EXTRA_DIST += \
          certs/test/cert-ext-nc.der \
          certs/test/cert-ext-nct.cfg \
          certs/test/cert-ext-nct.der \
+         certs/test/cert-ext-ndir.cfg \
+         certs/test/cert-ext-ndir.der \
          certs/test/cert-ext-ns.der \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \
diff --git a/tests/api.c b/tests/api.c
index 4a6b5ffcd..9e81ac409 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1267,6 +1267,90 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
 #endif
 }
 
+
+static void test_wolfSSL_CertManagerNameConstraint2(void)
+{
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
+    !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
+    defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
+    const char* ca_cert = "./certs/test/cert-ext-ndir.der";
+    const char* server_cert = "./certs/server-cert.pem";
+    WOLFSSL_CERT_MANAGER* cm;
+    WOLFSSL_X509 *x509, *ca;
+
+    const unsigned char *der;
+    const unsigned char *pt;
+    WOLFSSL_EVP_PKEY *priv;
+    WOLFSSL_X509_NAME* name;
+    int   derSz;
+
+    /* C=US*/
+    char altName[] = {
+        0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53
+    };
+
+    /* C=ID */
+    char altNameFail[] = {
+        0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
+        0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
+    };
+
+    /* load in CA private key for signing */
+    pt = ca_key_der_2048;
+    AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
+                                                sizeof_ca_key_der_2048));
+
+    AssertNotNull(cm = wolfSSL_CertManagerNew());
+    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+    wolfSSL_X509_sign(x509, priv, EVP_sha256());
+    AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+
+    /* add in matching DIR alt name and resign */
+    wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
+    wolfSSL_X509_sign(x509, priv, EVP_sha256());
+
+    AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+    wolfSSL_X509_free(x509);
+
+    /* check verify fail */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+    /* add in miss matching DIR alt name and resign */
+    wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
+            ASN_DIR_TYPE);
+
+
+    wolfSSL_X509_sign(x509, priv, EVP_sha256());
+    AssertNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
+    wolfSSL_CertManagerFree(cm);
+
+    wolfSSL_X509_free(x509);
+    wolfSSL_X509_free(ca);
+    wolfSSL_X509_MAME_free(name);
+    wolfSSL_EVP_PKEY_free(priv);
+#endif
+}
+
 static void test_wolfSSL_CertManagerCRL(void)
 {
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
@@ -39246,6 +39330,7 @@ void ApiTest(void)
     test_wolfSSL_CertManagerGetCerts();
     test_wolfSSL_CertManagerSetVerify();
     test_wolfSSL_CertManagerNameConstraint();
+    test_wolfSSL_CertManagerNameConstraint2();
     test_wolfSSL_CertManagerCRL();
     test_wolfSSL_CTX_load_verify_locations_ex();
     test_wolfSSL_CTX_load_verify_buffer_ex();
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index eb1491b6c..d509e89c6 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7799,6 +7799,11 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
                 WOLFSSL_MSG("\tfail: str length");
                 return ASN_PARSE_E;
             }
+
+            if (GetSequence(input, &idx, &strLen, sz) < 0) {
+                WOLFSSL_MSG("\tfail: seq length");
+                return ASN_PARSE_E;
+            }
             length -= (idx - lenStartIdx);
 
             dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
@@ -12717,7 +12722,11 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names)
 
     curName = names;
     do {
-        output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type;
+        output[idx] = ASN_CONTEXT_SPECIFIC | curName->type;
+        if (curName->type == ASN_DIR_TYPE) {
+            output[idx] |= ASN_CONSTRUCTED;
+        }
+        idx++;
         idx += SetLength(curName->len, output + idx);
         XMEMCPY(output + idx, curName->name, curName->len);
         idx += curName->len;