diff --git a/go.mod b/go.mod
index 26a1d77..350fa4d 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,10 @@
 module github.com/kairos-io/AuroraBoot
 
-go 1.23.1
+go 1.23.3
 
-toolchain go1.23.3
+// https://github.com/golang/go/blob/583d750fa119d504686c737be6a898994b674b69/src/crypto/x509/parser.go#L1014-L1018
+// For keys with negative serial number:
+godebug x509negativeserial=1
 
 require (
 	github.com/cavaliergopher/grab/v3 v3.0.1
@@ -23,7 +25,6 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/spectrocloud-labs/herd v0.4.2
 	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
-	github.com/spf13/viper v1.19.0
 	github.com/u-root/u-root v0.14.0
 	github.com/urfave/cli/v2 v2.27.5
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
@@ -169,6 +170,7 @@ require (
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/swaggest/jsonschema-go v0.3.62 // indirect
 	github.com/swaggest/refl v1.3.0 // indirect
diff --git a/internal/cmd/genkey.go b/internal/cmd/genkey.go
index d79a37c..7eb6420 100644
--- a/internal/cmd/genkey.go
+++ b/internal/cmd/genkey.go
@@ -247,8 +247,11 @@ func prepareCustomDerDir(l sdkTypes.KairosLogger, customCertDir string) (string,
 				l.Infof("	Signature Owner: %s\n", sigEntry.Owner.Format())
 				switch sig.SignatureType {
 				case signature.CERT_X509_GUID, signature.CERT_SHA256_GUID:
-					cert, _ := x509.ParseCertificate(sigEntry.Data)
-					if cert != nil {
+					cert, err := x509.ParseCertificate(sigEntry.Data)
+					if err != nil {
+						l.Errorf("cert error: %s", err)
+						continue
+					} else {
 						keyDir := filepath.Join(tmpDir, "custom", keyType)
 						err := os.MkdirAll(keyDir, 0755)
 						if err != nil {