diff --git a/handler/generate_certificate.go b/handler/generate_certificate.go
index ceb1477de09ae1ae1ea81818ac8ec2bc392f4606..59599beb4bf816df63a56afadf608d6b8304e953 100644
--- a/handler/generate_certificate.go
+++ b/handler/generate_certificate.go
@@ -73,7 +73,7 @@ func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.
 }
 
 func generateCertificate(publicKeyBytes []byte, caCertFilePath string, caPrivateKeyFilePath string,
-	certificateData *api.GenerateCertificateRequest_CertificateData) ([]byte, error) {
+	certificateData *api.CertificateData) ([]byte, error) {
 
 	publicKeyPemBlock, _ := pem.Decode(publicKeyBytes)
 
@@ -82,11 +82,21 @@ func generateCertificate(publicKeyBytes []byte, caCertFilePath string, caPrivate
 		return nil, err
 	}
 
-	notBeforeTime := time.Unix(certificateData.NotBefore.Seconds, int64(certificateData.NotBefore.Nanos)).UTC()
-	notAfterTime := time.Unix(certificateData.NotAfter.Seconds, int64(certificateData.NotAfter.Nanos)).UTC()
+	notBeforeTime := time.Unix(certificateData.NotBefore/1000, 0).UTC()
+	notAfterTime := time.Unix(certificateData.NotAfter/1000, 0).UTC()
+
+	max := new(big.Int)
+	max.Exp(big.NewInt(2), big.NewInt(130), nil).Sub(max, big.NewInt(1))
+
+	//Generate cryptographically strong pseudo-random between 0 - max
+	sn, err := rand.Int(rand.Reader, max)
+
+	if err != nil {
+		return nil, err
+	}
 
 	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
+		SerialNumber: sn,
 		Subject: pkix.Name{
 			Country:            []string{certificateData.Country},
 			Organization:       []string{certificateData.Organization},
diff --git a/handler/handler.go b/handler/handler.go
index 293a3408d8ed1346e9a112df4d0d895f0cce61aa..ab527483a014f32cb929b0f099b92b511705ac75 100644
--- a/handler/handler.go
+++ b/handler/handler.go
@@ -18,6 +18,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
 package handler
 
 import (
+	"io/ioutil"
 	"strings"
 
 	"code.vereign.com/code/viam-apis/versions"
@@ -64,9 +65,27 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest
 
 	getKeyResponse := &api.GetKeyResponse{}
 
+	if in.KeyType == api.KeyType_CERTIFICATE && in.Uuid == "root" {
+		key := &api.Key{}
+		data, err := ioutil.ReadFile(s.VereignCertFilePath)
+
+		if err != nil {
+			getKeyResponse.StatusList = utils.AddStatus(getKeyResponse.StatusList,
+				"400", api.StatusType_ERROR, "Can not get root certificate")
+			return getKeyResponse, nil
+		}
+
+		key.Content = data
+		key.Revoked = false
+
+		getKeyResponse.Key = key
+		return getKeyResponse, nil
+	}
+
 	if in.KeyType == api.KeyType_KT_EMPTY {
 		getKeyResponse.StatusList = utils.AddStatus(getKeyResponse.StatusList,
 			"400", api.StatusType_ERROR, "KeyType cannot be empty")
+		return getKeyResponse, nil
 	}
 
 	data, _ := client.DoGetDataCall("keys", in.Uuid+"/"+api.KeyType.String(in.KeyType))
@@ -93,9 +112,16 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest
 
 	setKeyResponse := &api.SetKeyResponse{}
 
+	if in.Uuid == "root" {
+		setKeyResponse.StatusList = utils.AddStatus(setKeyResponse.StatusList,
+			"400", api.StatusType_ERROR, "Can not set root CA keys")
+		return setKeyResponse, nil
+	}
+
 	if in.KeyType == api.KeyType_KT_EMPTY {
 		setKeyResponse.StatusList = utils.AddStatus(setKeyResponse.StatusList,
 			"400", api.StatusType_ERROR, "KeyType cannot be empty")
+		return setKeyResponse, nil
 	}
 
 	data, _ := client.DoGetDataCall("keys", in.Uuid+"/"+api.KeyType.String(in.KeyType))