diff --git a/src/ssl_load.c b/src/ssl_load.c
index 4a67913ed..4b9a62611 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -4163,8 +4163,8 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx,
         labelLen = (word32)XSTRLEN(label);
     }
 
-    ret = wc_CryptoCb_GetCert(devId, (const sword8 *)label,
-        labelLen, id, idLen, &certData, &certDataLen, &certFormat, ctx->heap);
+    ret = wc_CryptoCb_GetCert(devId, label, labelLen, id, idLen,
+        &certData, &certDataLen, &certFormat, ctx->heap);
     if (ret != 0) {
         ret = WOLFSSL_FAILURE;
         goto exit;
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
index 0d1d26738..973b4f9de 100644
--- a/wolfcrypt/src/cryptocb.c
+++ b/wolfcrypt/src/cryptocb.c
@@ -1801,7 +1801,7 @@ int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz)
 #endif /* !WC_NO_RNG */
 
 #ifndef NO_CERTS
-int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen,
+int wc_CryptoCb_GetCert(int devId, const char *label, word32 labelLen,
                         const byte *id, word32 idLen, byte** out,
                         word32* outSz, int *format, void *heap)
 {
diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c
index 26b2703c7..c49682331 100644
--- a/wolfcrypt/src/wc_pkcs11.c
+++ b/wolfcrypt/src/wc_pkcs11.c
@@ -4021,6 +4021,11 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) {
         goto exit;
     }
 
+    if (tmpl[0].ulValueLen <= 0) {
+        ret = WC_HW_E;
+        goto exit;
+    }
+
     certData = (byte *)XMALLOC(
         (int)tmpl[0].ulValueLen, info->cert.heap, DYNAMIC_TYPE_CERT);
     if (certData == NULL) {
@@ -4051,7 +4056,7 @@ exit:
     return ret;
 }
 
-#endif /* ifndef NO_CERTS */
+#endif /* !NO_CERTS */
 
 /**
  * Perform a cryptographic operation using PKCS#11 device.
diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h
index a8f19e304..976332f4e 100644
--- a/wolfssl/wolfcrypt/cryptocb.h
+++ b/wolfssl/wolfcrypt/cryptocb.h
@@ -452,7 +452,7 @@ typedef struct wc_CryptoInfo {
     struct {
         const byte *id;
         word32 idLen;
-        const sword8 *label;
+        const char *label;
         word32 labelLen;
         byte **certDataOut;
         word32 *certSz;
@@ -670,7 +670,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz,
 #endif
 
 #ifndef NO_CERTS
-WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const sword8 *label,
+WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const char *label,
     word32 labelLen, const byte *id, word32 idLen, byte** out,
     word32* outSz, int *format, void *heap);
 #endif