diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index e98816582..5c3152afc 100755
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7264,40 +7264,42 @@ WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
 }
 
 
+/* Max X509 header length indicates the max length + 2 ('\n', '\0') */
+#define MAX_X509_HEADER_SZ  (37 + 2)
 
-const char* const BEGIN_CERT         = "-----BEGIN CERTIFICATE-----";
-const char* const END_CERT           = "-----END CERTIFICATE-----";
+const char* const BEGIN_CERT           = "-----BEGIN CERTIFICATE-----";
+const char* const END_CERT             = "-----END CERTIFICATE-----";
 #ifdef WOLFSSL_CERT_REQ
-    const char* const BEGIN_CERT_REQ     = "-----BEGIN CERTIFICATE REQUEST-----";
-    const char* const END_CERT_REQ       = "-----END CERTIFICATE REQUEST-----";
+    const char* const BEGIN_CERT_REQ   = "-----BEGIN CERTIFICATE REQUEST-----";
+    const char* const END_CERT_REQ     = "-----END CERTIFICATE REQUEST-----";
 #endif
 #ifndef NO_DH
-    const char* const BEGIN_DH_PARAM     = "-----BEGIN DH PARAMETERS-----";
-    const char* const END_DH_PARAM       = "-----END DH PARAMETERS-----";
+    const char* const BEGIN_DH_PARAM   = "-----BEGIN DH PARAMETERS-----";
+    const char* const END_DH_PARAM     = "-----END DH PARAMETERS-----";
 #endif
 #ifndef NO_DSA
-    const char* const BEGIN_DSA_PARAM    = "-----BEGIN DSA PARAMETERS-----";
-    const char* const END_DSA_PARAM      = "-----END DSA PARAMETERS-----";
+    const char* const BEGIN_DSA_PARAM  = "-----BEGIN DSA PARAMETERS-----";
+    const char* const END_DSA_PARAM    = "-----END DSA PARAMETERS-----";
 #endif
-const char* const BEGIN_X509_CRL     = "-----BEGIN X509 CRL-----";
-const char* const END_X509_CRL       = "-----END X509 CRL-----";
-const char* const BEGIN_RSA_PRIV     = "-----BEGIN RSA PRIVATE KEY-----";
-const char* const END_RSA_PRIV       = "-----END RSA PRIVATE KEY-----";
-const char* const BEGIN_PRIV_KEY     = "-----BEGIN PRIVATE KEY-----";
-const char* const END_PRIV_KEY       = "-----END PRIVATE KEY-----";
-const char* const BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
-const char* const END_ENC_PRIV_KEY   = "-----END ENCRYPTED PRIVATE KEY-----";
+const char* const BEGIN_X509_CRL       = "-----BEGIN X509 CRL-----";
+const char* const END_X509_CRL         = "-----END X509 CRL-----";
+const char* const BEGIN_RSA_PRIV       = "-----BEGIN RSA PRIVATE KEY-----";
+const char* const END_RSA_PRIV         = "-----END RSA PRIVATE KEY-----";
+const char* const BEGIN_PRIV_KEY       = "-----BEGIN PRIVATE KEY-----";
+const char* const END_PRIV_KEY         = "-----END PRIVATE KEY-----";
+const char* const BEGIN_ENC_PRIV_KEY   = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
+const char* const END_ENC_PRIV_KEY     = "-----END ENCRYPTED PRIVATE KEY-----";
 #ifdef HAVE_ECC
-    const char* const BEGIN_EC_PRIV      = "-----BEGIN EC PRIVATE KEY-----";
-    const char* const END_EC_PRIV        = "-----END EC PRIVATE KEY-----";
+    const char* const BEGIN_EC_PRIV    = "-----BEGIN EC PRIVATE KEY-----";
+    const char* const END_EC_PRIV      = "-----END EC PRIVATE KEY-----";
 #endif
-const char* const BEGIN_DSA_PRIV     = "-----BEGIN DSA PRIVATE KEY-----";
-const char* const END_DSA_PRIV       = "-----END DSA PRIVATE KEY-----";
-const char* const BEGIN_PUB_KEY      = "-----BEGIN PUBLIC KEY-----";
-const char* const END_PUB_KEY        = "-----END PUBLIC KEY-----";
+const char* const BEGIN_DSA_PRIV       = "-----BEGIN DSA PRIVATE KEY-----";
+const char* const END_DSA_PRIV         = "-----END DSA PRIVATE KEY-----";
+const char* const BEGIN_PUB_KEY        = "-----BEGIN PUBLIC KEY-----";
+const char* const END_PUB_KEY          = "-----END PUBLIC KEY-----";
 #ifdef HAVE_ED25519
-    const char* const BEGIN_EDDSA_PRIV   = "-----BEGIN EDDSA PRIVATE KEY-----";
-    const char* const END_EDDSA_PRIV     = "-----END EDDSA PRIVATE KEY-----";
+    const char* const BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----";
+    const char* const END_EDDSA_PRIV   = "-----END EDDSA PRIVATE KEY-----";
 #endif
 
 #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA)
@@ -7318,12 +7320,11 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
     char* header = NULL;
     char* footer = NULL;
 #else
-    char header[40 + HEADER_ENCRYPTED_KEY_SIZE];
-    char footer[40];
+    char header[MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE];
+    char footer[MAX_X509_HEADER_SZ];
 #endif
-
-    int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE;
-    int footerLen = 40;
+    int headerLen = MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE;
+    int footerLen = MAX_X509_HEADER_SZ;
     int i;
     int err;
     int outLen;   /* return length or error */
@@ -7344,10 +7345,8 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
 #endif
 
     /* null term and leave room for \n */
-    header[headerLen-1] = '\0';
-    footer[footerLen-1] = '\0';
-    headerLen -= 2;
-    footerLen -= 2;
+    header[--headerLen] = '\0';
+    footer[--footerLen] = '\0';
 
     if (type == CERT_TYPE) {
         XSTRNCPY(header, BEGIN_CERT, headerLen);