diff --git a/ChangeLog b/ChangeLog
index 0c018c29e..870f0cc8b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,7 +5,9 @@
      fix username passed to helper program
      prepare stdio fds before closefrom()
      spotted by landry@
-
+   - djm@cvs.openbsd.org 2012/11/14 02:32:15
+     [ssh-keygen.c]
+     allow the full range of unsigned serial numbers; 'fine' deraadt@
 
 20121107
  - (djm) OpenBSD CVS Sync
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 11d1dd02b..2d8af679c 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.218 2012/10/02 07:07:45 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.219 2012/11/14 02:32:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1937,7 +1937,7 @@ main(int argc, char **argv)
 {
 	char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
 	char *checkpoint = NULL;
-	char out_file[MAXPATHLEN], *rr_hostname = NULL;
+	char out_file[MAXPATHLEN], *rr_hostname = NULL, *ep;
 	Key *private, *public;
 	struct passwd *pw;
 	struct stat st;
@@ -2145,9 +2145,11 @@ main(int argc, char **argv)
 			parse_cert_times(optarg);
 			break;
 		case 'z':
-			cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr);
-			if (errstr)
-				fatal("Invalid serial number: %s", errstr);
+			errno = 0;
+			cert_serial = strtoull(optarg, &ep, 10);
+			if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
+			    (errno == ERANGE && cert_serial == ULLONG_MAX))
+				fatal("Invalid serial number \"%s\"", optarg);
 			break;
 		case '?':
 		default: