diff --git a/admin/pki/client.go b/admin/pki/client.go
index 011d945c..a64ebc4b 100644
--- a/admin/pki/client.go
+++ b/admin/pki/client.go
@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
+	"math"
 	"math/big"
 	"os"
 	"os/exec"
@@ -14,15 +15,15 @@ import (
 )
 
 func ClientCertificatePath(serial uint64) string {
-	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "cert.pem")
+	return path.Join(PKIDir, fmt.Sprintf("%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2)), "cert.pem")
 }
 
 func ClientPrivkeyPath(serial uint64) string {
-	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "privkey.pem")
+	return path.Join(PKIDir, fmt.Sprintf("%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2)), "privkey.pem")
 }
 
 func ClientP12Path(serial uint64) string {
-	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "team.p12")
+	return path.Join(PKIDir, fmt.Sprintf("%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2)), "team.p12")
 }
 
 func GenerateClient(serial uint64, notBefore time.Time, notAfter time.Time, parent_cert *x509.Certificate, parent_priv *ecdsa.PrivateKey) error {
@@ -35,7 +36,7 @@ func GenerateClient(serial uint64, notBefore time.Time, notAfter time.Time, pare
 			OrganizationalUnit: []string{"SRS laboratory"},
 			Country:            []string{"FR"},
 			Locality:           []string{"Paris"},
-			CommonName:         fmt.Sprintf("TEAM-%o", serial),
+			CommonName:         fmt.Sprintf("TEAM-%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2)),
 		},
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
@@ -56,7 +57,7 @@ func GenerateClient(serial uint64, notBefore time.Time, notAfter time.Time, pare
 	}
 
 	// Create intermediate directory
-	os.MkdirAll(path.Join(PKIDir, fmt.Sprintf("%d", serial)), 0777)
+	os.MkdirAll(path.Join(PKIDir, fmt.Sprintf("%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2))), 0777)
 
 	// Save certificate to file
 	if err := saveCertificate(ClientCertificatePath(serial), client_b); err != nil {
@@ -75,7 +76,7 @@ func WriteP12(serial uint64, password string) error {
 	cmd := exec.Command("/usr/bin/openssl", "pkcs12", "-export",
 		"-inkey", ClientPrivkeyPath(serial),
 		"-in", ClientCertificatePath(serial),
-		"-name", fmt.Sprintf("TEAM-%o", serial),
+		"-name", fmt.Sprintf("TEAM-%0[2]*[1]X", serial, int(math.Ceil(math.Log2(float64(serial))/8)*2)),
 		"-passout", "pass:" + password,
 		"-out", ClientP12Path(serial))