diff --git a/tesseract/genconf/roots.go b/tesseract/genconf/roots.go
index 1ed7ff5..3a46ae4 100644
--- a/tesseract/genconf/roots.go
+++ b/tesseract/genconf/roots.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
@@ -74,6 +75,7 @@ func generateRoots(args []string) {
 	defer outFile.Close()
 
 	// Write each certificate as PEM
+	validCertCount := 0
 	for _, certBase64 := range rootsResp.Certificates {
 		// Decode base64 certificate
 		certBytes, err := base64.StdEncoding.DecodeString(certBase64)
@@ -81,6 +83,19 @@ func generateRoots(args []string) {
 			log.Fatalf("Failed to decode certificate: %v", err)
 		}
 
+		// Parse X.509 certificate to check serial number
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			log.Printf("Warning: Failed to parse certificate, skipping: %v", err)
+			continue
+		}
+
+		// Check for negative serial number
+		if cert.SerialNumber.Sign() < 0 {
+			log.Printf("Warning: Certificate with negative serial number found, skipping (serial: %s)", cert.SerialNumber.String())
+			continue
+		}
+
 		// Create PEM block
 		pemBlock := &pem.Block{
 			Type:  "CERTIFICATE",
@@ -92,7 +107,9 @@ func generateRoots(args []string) {
 		if err != nil {
 			log.Fatalf("Failed to write PEM certificate: %v", err)
 		}
+
+		validCertCount++
 	}
 
-	fmt.Printf("Successfully wrote %d certificates to %s\n", len(rootsResp.Certificates), outputFile)
+	fmt.Printf("Successfully wrote %d certificates to %s (out of %d total)\n", validCertCount, outputFile, len(rootsResp.Certificates))
 }