diff --git a/crypto.c b/crypto.c
index 3623118..f4502e8 100644
--- a/crypto.c
+++ b/crypto.c
@@ -69,7 +69,11 @@ void crypto_ecc256_load_attestation_key()
 
 void crypto_ecc256_sign(uint8_t * data, int len, uint8_t * sig)
 {
-    uECC_sign(_signing_key, data, len, sig, _es256_curve);
+    if ( uECC_sign(_signing_key, data, len, sig, _es256_curve) == 0)
+    {
+        printf("error, uECC failed\n");
+        exit(1);
+    }
 }
 
 
@@ -94,33 +98,41 @@ void crypto_derive_ecc256_public_key(uint8_t * rpId, int len1, uint8_t * entropy
 
 
 const uint8_t attestation_cert_der[] =
-    "\x30\x82\x01\x4e\x30\x81\xf6\x02\x01\x00\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04"
-    "\x03\x02\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0b\x30"
-    "\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e\x06\x03\x55\x04\x0a\x0c"
-    "\x07\x54\x45\x53\x54\x20\x43\x41\x30\x20\x17\x0d\x31\x38\x30\x35\x30\x36\x32\x32"
-    "\x34\x39\x32\x35\x5a\x18\x0f\x32\x30\x36\x38\x30\x34\x32\x33\x32\x32\x34\x39\x32"
-    "\x35\x5a\x30\x3a\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0b\x30"
-    "\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x1e\x30\x1c\x06\x03\x55\x04\x0a\x0c"
-    "\x15\x54\x45\x53\x54\x20\x41\x54\x54\x45\x53\x54\x41\x54\x49\x4f\x4e\x20\x43\x45"
-    "\x52\x54\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48"
-    "\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x45\xa9\x02\xc1\x2e\x9c\x0a\x33\xfa\x3e\x84"
-    "\x50\x4a\xb8\x02\xdc\x4d\xb9\xaf\x15\xb1\xb6\x3a\xea\x8d\x3f\x03\x03\x55\x65\x7d"
-    "\x70\x3f\xb4\x02\xa4\x97\xf4\x83\xb8\xa6\xf9\x3c\xd0\x18\xad\x92\x0c\xb7\x8a\x5a"
-    "\x3e\x14\x48\x92\xef\x08\xf8\xca\xea\xfb\x32\xab\x20\x30\x0a\x06\x08\x2a\x86\x48"
-    "\xce\x3d\x04\x03\x02\x03\x47\x00\x30\x44\x02\x20\x03\x81\x09\xa6\x99\xb3\x69\x69"
-    "\x69\xa1\xd9\x40\xbc\x32\xa5\x37\x05\x1d\xa8\x42\x54\x3b\xee\x77\xbe\x25\xb2\x03"
-    "\x16\x90\x77\x9c\x02\x20\x6b\xfb\x26\x30\x68\x6d\x72\x49\xac\xbf\x0e\x06\xd3\x61"
-    "\x32\xe0\x60\x78\x60\xab\x7e\x7f\xd3\x4f\xd7\x25\xfa\x2d\x95\x1b\x19\xdd";
+"\x30\x82\x01\xfb\x30\x82\x01\xa1\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0a\x06\x08"
+"\x2a\x86\x48\xce\x3d\x04\x03\x02\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13"
+"\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e"
+"\x06\x03\x55\x04\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x30\x20\x17\x0d\x31\x38"
+"\x30\x35\x31\x30\x30\x33\x30\x36\x32\x30\x5a\x18\x0f\x32\x30\x36\x38\x30\x34\x32"
+"\x37\x30\x33\x30\x36\x32\x30\x5a\x30\x7c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13"
+"\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x0f\x30\x0d"
+"\x06\x03\x55\x04\x07\x0c\x06\x4c\x61\x75\x72\x65\x6c\x31\x15\x30\x13\x06\x03\x55"
+"\x04\x0a\x0c\x0c\x54\x45\x53\x54\x20\x43\x4f\x4d\x50\x41\x4e\x59\x31\x22\x30\x20"
+"\x06\x03\x55\x04\x0b\x0c\x19\x41\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x6f\x72"
+"\x20\x41\x74\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x31\x14\x30\x12\x06\x03\x55\x04"
+"\x03\x0c\x0b\x63\x6f\x6e\x6f\x72\x70\x70\x2e\x63\x6f\x6d\x30\x59\x30\x13\x06\x07"
+"\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00"
+"\x04\x45\xa9\x02\xc1\x2e\x9c\x0a\x33\xfa\x3e\x84\x50\x4a\xb8\x02\xdc\x4d\xb9\xaf"
+"\x15\xb1\xb6\x3a\xea\x8d\x3f\x03\x03\x55\x65\x7d\x70\x3f\xb4\x02\xa4\x97\xf4\x83"
+"\xb8\xa6\xf9\x3c\xd0\x18\xad\x92\x0c\xb7\x8a\x5a\x3e\x14\x48\x92\xef\x08\xf8\xca"
+"\xea\xfb\x32\xab\x20\xa3\x62\x30\x60\x30\x46\x06\x03\x55\x1d\x23\x04\x3f\x30\x3d"
+"\xa1\x30\xa4\x2e\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31"
+"\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e\x06\x03\x55\x04"
+"\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x82\x09\x00\xf7\xc9\xec\x89\xf2\x63\x94"
+"\xd9\x30\x09\x06\x03\x55\x1d\x13\x04\x02\x30\x00\x30\x0b\x06\x03\x55\x1d\x0f\x04"
+"\x04\x03\x02\x04\xf0\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04\x03\x02\x03\x48\x00"
+"\x30\x45\x02\x20\x18\x38\xb0\x45\x03\x69\xaa\xa7\xb7\x38\x62\x01\xaf\x24\x97\x5e"
+"\x7e\x74\x64\x1b\xa3\x7b\xf7\xe6\xd3\xaf\x79\x28\xdb\xdc\xa5\x88\x02\x21\x00\xcd"
+"\x06\xf1\xe3\xab\x16\x21\x8e\xd8\xc0\x14\xaf\x09\x4f\x5b\x73\xef\x5e\x9e\x4b\xe7"
+"\x35\xeb\xdd\x9b\x6d\x8f\x7d\xf3\xc4\x3a\xd7";
 
 
 const uint16_t attestation_cert_der_size = sizeof(attestation_cert_der)-1;
 
 
-const uint8_t attestation_key[] = "\xcdg\xaa1\r\t\x1e\xd1n~\x98\x92\xaa\x07\x0e\x19\x94\xfc\xd7\x14\xae|@\x8f\xb9F\xb7._\xe7]0";
+const uint8_t attestation_key[] = "\xcd\x67\xaa\x31\x0d\x09\x1e\xd1\x6e\x7e\x98\x92\xaa\x07\x0e\x19\x94\xfc\xd7\x14\xae\x7c\x40\x8f\xb9\x46\xb7\x2e\x5f\xe7\x5d\x30";
 const uint16_t attestation_key_size = sizeof(attestation_key)-1;
 
 
-
 #else
 #error "No crypto implementation defined"
 #endif
diff --git a/ctap.c b/ctap.c
index 31919a1..18c16fa 100644
--- a/ctap.c
+++ b/ctap.c
@@ -601,13 +601,14 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
     uint8_t auth_data_buf[200];
     uint8_t * cose_key_buf = auth_data_buf +  + sizeof(CTAP_authData);
     uint8_t hashbuf[32];
-    uint8_t sigbuf[64];
+    static uint8_t sigbuf[164];
     uint8_t sigder[64 + 2 + 6];
     int auth_data_sz;
     CTAP_authData * authData = (CTAP_authData *)auth_data_buf;
     CborEncoder cose_key;
     CborEncoder map;
         CborEncoder stmtmap;
+        CborEncoder x5carr;
 
     cbor_encoder_init(&cose_key, cose_key_buf, sizeof(auth_data_buf) - sizeof(CTAP_authData), 0);
 
@@ -678,6 +679,10 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
     crypto_ecc256_load_attestation_key();
     crypto_ecc256_sign(hashbuf, 32, sigbuf);
 
+    printf("signature hash: "); dump_hex(hashbuf, 32);
+    printf("R: "); dump_hex(sigbuf, 32);
+    printf("S: "); dump_hex(sigbuf+32, 32);
+
     // Need to caress into dumb der format ..
     uint8_t pad_s = (sigbuf[32] & 0x80) == 0x80;
     uint8_t pad_r = (sigbuf[0] & 0x80) == 0x80;
@@ -694,7 +699,7 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
     sigder[5 + 32 + pad_r] = 0x20 + pad_s;
     memmove(sigder + 6 + 32 + pad_r + pad_s, sigbuf + 32, 32);
     //
-    printf("der sig [%d]: ", 0x44+pad_s+pad_r); dump_hex(sigder, 0x44+pad_s+pad_r);
+    printf("der sig [%d]: ", 0x44+pad_s+pad_r); dump_hex(sigder, 0x46+pad_s+pad_r);
 
     {
         ret = cbor_encode_int(&map,RESP_attStmt);
@@ -710,23 +715,30 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
         {
             ret = cbor_encode_text_stringz(&stmtmap,"sig");
             check_ret(ret);
-            ret = cbor_encode_byte_string(&stmtmap, sigder, 0x44 + pad_s + pad_r);
+            ret = cbor_encode_byte_string(&stmtmap, sigder, 0x46 + pad_s + pad_r);
             check_ret(ret);
         }
         {
             ret = cbor_encode_text_stringz(&stmtmap,"x5c");
             check_ret(ret);
-            ret = cbor_encode_byte_string(&stmtmap, attestation_cert_der, attestation_cert_der_size);
+            ret = cbor_encoder_create_array(&stmtmap, &x5carr, 1);
             check_ret(ret);
+            {
+                ret = cbor_encode_byte_string(&x5carr, attestation_cert_der, attestation_cert_der_size);
+                check_ret(ret);
+                ret = cbor_encoder_close_container(&stmtmap, &x5carr);
+                check_ret(ret);
+            }
         }
 
-        cbor_encoder_close_container(&map, &stmtmap);
+        ret = cbor_encoder_close_container(&map, &stmtmap);
         check_ret(ret);
 
     }
 
 
-    cbor_encoder_close_container(encoder, &map);
+    ret = cbor_encoder_close_container(encoder, &map);
+    check_ret(ret);
 }
 
 
diff --git a/ctap.h b/ctap.h
index da1bb63..76e9714 100644
--- a/ctap.h
+++ b/ctap.h
@@ -79,8 +79,8 @@
 typedef struct
 {
     uint8_t aaguid[16];
-    uint8_t credLenL;
     uint8_t credLenH;
+    uint8_t credLenL;
     uint8_t credentialId[CREDENTIAL_ID_SIZE];
 } __attribute__((packed)) CTAP_attestHeader;
 
diff --git a/ctap_device.c b/ctap_device.c
index 2901270..8cf565e 100644
--- a/ctap_device.c
+++ b/ctap_device.c
@@ -46,5 +46,6 @@ int ctap_generate_rng(uint8_t * dst, size_t num)
     }
     fread(dst, 1, num, urand);
     fclose(urand);
+    return 1;
 }
 
diff --git a/tools/ca_sign.sh b/tools/ca_sign.sh
index b5182fa..5c8193a 100644
--- a/tools/ca_sign.sh
+++ b/tools/ca_sign.sh
@@ -7,7 +7,7 @@ openssl req -new -key "$1" -out "$1".csr
 
 # CA sign the request
 echo "sign request with CA key"
-openssl x509 -days 18250 -req -in "$1".csr -CA "$2" -CAkey "$3" -out "$4" -set_serial 0
+openssl x509 -days 18250 -req -in "$1".csr -extfile v3.ext -CA "$2" -CAkey "$3" -out "$4" -set_serial 0
 
 echo "output as der"
 openssl  x509 -in "$4" -outform der -out "$4".der
diff --git a/tools/dump_pem.py b/tools/dump_pem.py
index 7e9c825..1c542fb 100644
--- a/tools/dump_pem.py
+++ b/tools/dump_pem.py
@@ -17,5 +17,14 @@ if len(sys.argv) not in [2]:
 pemkey = sys.argv[1]
 attestkey = ecdsa.SigningKey.from_pem(open(pemkey).read())
 
-print(binascii.hexlify(attestkey.to_string()))
-print(repr(attestkey.to_string()))
+hstr = binascii.hexlify(attestkey.to_string())
+print(hstr)
+
+cstr = ''
+it = iter(hstr)
+for d1 in it:
+    d2 = next(it)
+    cstr += '\\x'+d1+d2
+
+print('"%s"' % cstr)
+
diff --git a/tools/v3.ext b/tools/v3.ext
new file mode 100644
index 0000000..81058b4
--- /dev/null
+++ b/tools/v3.ext
@@ -0,0 +1,3 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment