diff --git a/src/x509_str.c b/src/x509_str.c
index 006eae1655..f85d023b18 100644
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -43,6 +43,7 @@ static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
                                           WOLFSSL_X509* x509, int type);
 #endif
 
+/* Based on OpenSSL default max depth */
 #ifndef WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH
 #define WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH 100
 #endif
@@ -264,9 +265,9 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
         if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) &&
             ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) {
             /* wolfSSL_CertManagerVerifyBuffer only returns ASN_AFTER_DATE_E or
-            ASN_BEFORE_DATE_E if there are no additional errors found in the
-            cert. Therefore, check if the cert is expired or not yet valid
-            in order to return the correct expected error. */
+             * ASN_BEFORE_DATE_E if there are no additional errors found in the
+             * cert. Therefore, check if the cert is expired or not yet valid
+             * in order to return the correct expected error. */
             byte *afterDate = ctx->current_cert->notAfter.data;
             byte *beforeDate = ctx->current_cert->notBefore.data;
 
@@ -333,7 +334,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
             ret = wolfSSL_sk_X509_push(certs,
                 wolfSSL_sk_X509_value(ctx->ctxIntermediates, i));
             if (ret <= 0) {
-                return WOLFSSL_FAILURE;
+                goto exit;
             }
 
             numInterAdd++;
diff --git a/tests/api.c b/tests/api.c
index be7aa73adb..dbacd64ed9 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -60410,6 +60410,8 @@ static int test_X509_STORE_untrusted(void)
     /* Root CA in untrusted chain is OK */
     ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1),
             TEST_SUCCESS);
+    ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 0),
+            TEST_SUCCESS);
     /* Succeeds because path to loaded CA is available. */
     ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1),
             TEST_SUCCESS);
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 2666bf0aeb..8a3981f53b 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -3315,7 +3315,8 @@ enum {
 
     WOLFSSL_USER_CA  = 1,          /* user added as trusted */
     WOLFSSL_CHAIN_CA = 2,          /* added to cache from trusted chain */
-    WOLFSSL_INTER_CA = 3           /* Intermediate CA */
+    WOLFSSL_INTER_CA = 3           /* Intermediate CA, only for use by
+                                    * X509_STORE */
 };
 
 WOLFSSL_ABI WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl);