Werk #16225: Ignore certificates with negative serial numbers

Component Setup
Title Ignore certificates with negative serial numbers
Date Nov 24, 2023
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

X509 certificates contain a serial number which is used for various purposes.

Since RFC5280 (May 2008) certificates must be a positive integer. There used to be certificates with negative serial numbers which were accepted. Our underlying libraries start to deprecate the support for these certificates, therefore Checkmk now deems them invalid.

Please note that these certificates are very uncommon. If Checkmk encounters such a certificate it will log it to var/log/web.log.

To the list of all Werks