Werk #16614: Ignore CAs with negative serial numbers

Component Core & setup
Title Ignore CAs with negative serial numbers
Date Mar 11, 2024
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b3 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

When Checkmk is configured to Trust system wide configured CAs the system CA store is traversed and the certificates are added to the trusted CAs. With RFC 5280 certificate serial numbers are required to be positive. Unfortunately there are CA certificates out from before this RFC and the might contain negative serial numbers. One we encountered several times while testing is:

commonName                = EC-ACC
organizationalUnitName    = Jerarquia Entitats de Certificacio Catalanes
organizationalUnitName    = Vegeu https://www.catcert.net/verarrel (c)03
organizationalUnitName    = Serveis Publics de Certificacio
organizationName          = Agencia Catalana de Certificacio (NIF Q-0801176-I)
countryName               = ES

Our underlying library we use for handling certificates announced to no longer support certificates with negative serial numbers in one of the next versions. Therefore we decided to ignore certificates with negative serial numbers so we can update this library during the lifetime of this Checkmk release without changing this behaviour.

Since the mentioned EC-ACC certificate was encountered multiple times during testing and is not widely used the fact that this certificate was encountered and is ignored is NOT logged.

If you use certificates issued by CA certificates with negative serial numbers you can add them manually to your list of trusted certificates via the UI. This might cause warnings appearing in console outputs and in logfiles and may stop to work in the future.

To the list of all Werks