[//]: # (werk v2)
# Ignore CAs with negative serial numbers
key | value
---------- | ---
date | 2024-03-11T10:43:27+00:00
version | 2.3.0b3
class | fix
edition | cre
component | core
level | 1
compatible | no
When Checkmk is configured to *Trust system wide configured CAs* the system CA store is
traversed and the certificates are added to the trusted CAs.
With RFC 5280 certificate serial numbers are required to be positive. Unfortunately there
are CA certificates out from before this RFC and the might contain negative serial
numbers.
One we encountered several times while testing is:
commonName = EC-ACC
organizationalUnitName = Jerarquia Entitats de Certificacio Catalanes
organizationalUnitName = Vegeu
https://www.catcert.net/verarrel (c)03
organizationalUnitName = Serveis Publics de Certificacio
organizationName = Agencia Catalana de Certificacio (NIF Q-0801176-I)
countryName = ES
Our underlying library we use for handling certificates announced to no longer support
certificates with negative serial numbers in one of the next versions. Therefore we
decided to ignore certificates with negative serial numbers so we can update this library
during the lifetime of this Checkmk release without changing this behaviour.
Since the mentioned `EC-ACC` certificate was encountered multiple times during testing and
is not widely used the fact that this certificate was encountered and is ignored is NOT
logged.
If you use certificates issued by CA certificates with negative serial numbers you can add
them manually to your list of trusted certificates via the UI.
This might cause warnings appearing in console outputs and in logfiles and may stop to
work in the future.