diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index 70dfe2838..a735d1ff0 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -240,7 +240,7 @@ function run_renewcerts(){
     mv tmp.pem client-ecc-cert.pem
 
     ############################################################
-    ########## update the self-signed server-ecc.pem ###########
+    ########## update the server-ecc.pem #######################
     ############################################################
     echo "Updating server-ecc.pem"
     echo ""
@@ -248,7 +248,7 @@ function run_renewcerts(){
     echo -e "US\nWashington\nSeattle\nEliptic\nECC\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ecc-key.pem -nodes -out server-ecc.csr
 
 
-    openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key.pem -out server-ecc.pem
+    openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CAfile ca-ecc-cert.pem -CAkey ca-ecc-key.pem -out server-ecc.pem
     rm server-ecc.csr
 
     openssl x509 -in server-ecc.pem -text > tmp.pem
@@ -329,6 +329,13 @@ function run_renewcerts(){
     echo ""
     echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
 
+    ############################################################
+    ###### update the test-servercert.p12 file #################
+    ############################################################
+    echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
+    echo ""
+    echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
+
     ############################################################
     ###### calling gen-ext-certs.sh           ##################
     ############################################################
@@ -338,6 +345,15 @@ function run_renewcerts(){
     ./certs/test/gen-ext-certs.sh
     cd ./certs
 
+    ############################################################
+    ###### calling gen-badsig.sh              ##################
+    ############################################################
+    echo "Calling gen-badsig.sh"
+    echo ""
+    cd ./test
+    ./gen-badsig.sh
+    cd ../
+
     ############################################################
     ########## store DER files as buffers ######################
     ############################################################
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index ecebae9ae..11293afd3 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -177,6 +177,15 @@ authorityKeyIdentifier=keyid:always
 basicConstraints=critical, CA:TRUE
 keyUsage=critical, digitalSignature, keyCertSign, cRLSign
 
+# server-ecc extensions
+[ server_ecc ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage=serverAuth
+nsCertType=server
+
 #tsa default
 [ tsa ]
 default_tsa = tsa_config1
diff --git a/certs/test/gen-badsig.sh b/certs/test/gen-badsig.sh
new file mode 100755
index 000000000..aafe06f97
--- /dev/null
+++ b/certs/test/gen-badsig.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+generate() {
+    # read in certificate and alter the last part of the signature
+    num_lines=$(wc -l < $cert)
+    i=1
+
+    rm -f $pem_out
+    touch $pem_out
+    while IFS= read -r line
+    do
+        if [[ $((i+1)) -eq ${num_lines} ]]; then
+            # last line before END tag. Alter the sig here
+            idx=`expr ${#line} - 4`
+            chr=${line:idx:1}
+            if [ "$chr" == "x" ] || [ "$chr" == "X" ]; then
+                echo "${line:0:${idx}}a${line:$((idx+1)):$((idx+4))}" >> $pem_out
+            else
+                echo "${line:0:${idx}}x${line:$((idx+1)):$((idx+4))}" >> $pem_out
+            fi
+        else
+            echo "$line" >> $pem_out
+        fi
+    let i++
+    done < "$cert"
+
+    # output to DER format also
+    openssl x509 -in $pem_out -out $der_out -outform DER
+}
+
+# create server RSA certificate with bad signature
+cert="../server-cert.pem"
+pem_out=server-cert-rsa-badsig.pem
+der_out=server-cert-rsa-badsig.der
+generate
+
+# create server ECC certificate with bad signature
+cert="../server-ecc.pem"
+pem_out=server-cert-ecc-badsig.pem
+der_out=server-cert-ecc-badsig.der
+generate
+