diff --git a/auth/cert.go b/auth/cert.go
index 0928c43..f71f4a2 100644
--- a/auth/cert.go
+++ b/auth/cert.go
@@ -103,7 +103,9 @@ func (auth *CertAuth) reload() error {
 	}
 
 	auth.logger.Info("reloading certificate blacklist from %q...", auth.blacklistFilename)
-	newBlacklistSet, err := newSerialNumberSetFromReader(f)
+	newBlacklistSet, err := newSerialNumberSetFromReader(f, func(parseErr error) {
+		auth.logger.Error("failed to parse line in %q: %v", auth.blacklistFilename, parseErr)
+	})
 	if err != nil {
 		return err
 	}
@@ -171,7 +173,7 @@ func (s *serialNumberSet) Has(serial *big.Int) bool {
 	return found
 }
 
-func newSerialNumberSetFromReader(r io.Reader) (*serialNumberSet, error) {
+func newSerialNumberSetFromReader(r io.Reader, bad func(error)) (*serialNumberSet, error) {
 	set := make(map[serialNumberKey]struct{})
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
@@ -182,6 +184,9 @@ func newSerialNumberSetFromReader(r io.Reader) (*serialNumberSet, error) {
 		}
 		serial, err := parseSerialBytes(line)
 		if err != nil {
+			if bad != nil {
+				bad(fmt.Errorf("bad serial number line %q: %w", line, err))
+			}
 			continue
 		}
 		set[normalizeSNBytes(serial)] = struct{}{}
diff --git a/auth/cert_test.go b/auth/cert_test.go
index a1c2d00..f8f9ae5 100644
--- a/auth/cert_test.go
+++ b/auth/cert_test.go
@@ -128,7 +128,7 @@ func TestSerialNumberSetSmoke(t *testing.T) {
 			output: true,
 		},
 	}
-	s, err := newSerialNumberSetFromReader(strings.NewReader(testFile))
+	s, err := newSerialNumberSetFromReader(strings.NewReader(testFile), nil)
 	if err != nil {
 		t.Fatalf("unable to load test set: %v", err)
 	}
@@ -158,7 +158,7 @@ func TestSerialNumberSetEmpty(t *testing.T) {
 			output: false,
 		},
 	}
-	s, err := newSerialNumberSetFromReader(strings.NewReader(testFile))
+	s, err := newSerialNumberSetFromReader(strings.NewReader(testFile), nil)
 	if err != nil {
 		t.Fatalf("unable to load test set: %v", err)
 	}