diff --git a/HISTORY.md b/HISTORY.md
index 55ed90c2c7..d8f8ba2dfc 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,6 +1,12 @@
 Release History
 ===============
 
+3.4.6 (2024-02-03)
+------------------
+
+**Fixed**
+- Unmatched filter for deprecation warning yielded by Cryptography due to some legacy CA available in Windows having a negative serial number.
+
 3.4.5 (2024-02-02)
 ------------------
 
diff --git a/docs/user/authentication.rst b/docs/user/authentication.rst
index cc5666292b..9fd7d64ed6 100644
--- a/docs/user/authentication.rst
+++ b/docs/user/authentication.rst
@@ -41,7 +41,7 @@ You must provide the user and pass into the DNS url as such::
     from niquests import Session
 
     with Session(resolver="doh://user:pass@my-resolver.tld") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 Passing a bearer token
 ----------------------
@@ -60,7 +60,7 @@ You must provide the token directly into the DNS url as such::
     from niquests import Session
 
     with Session(resolver="doh://token@my-resolver.tld") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 netrc Authentication
 ~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/user/quickstart.rst b/docs/user/quickstart.rst
index f39004fe0a..3a4935ab06 100644
--- a/docs/user/quickstart.rst
+++ b/docs/user/quickstart.rst
@@ -906,7 +906,7 @@ Here is a basic example that leverage Google public DNS over HTTPS::
     from niquests import Session
 
     with Session(resolver="doh+google://") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 Here, the domain name (**pie.dev**) will be resolved using the provided DNS url.
 
@@ -920,7 +920,7 @@ You may specify a list of resolvers to be tested in order::
     from niquests import Session
 
     with Session(resolver=["doh+google://", "doh://cloudflare-dns.com"]) as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 The second entry ``doh://cloudflare-dns.com`` will only be tested if ``doh+google://`` failed to provide a usable answer.
 
@@ -959,10 +959,10 @@ Simply add ``verify=false`` into your DNS url to pursue::
     from niquests import Session
 
     with Session(resolver="doh+google://default/?verify=false") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 
-.. warning:: Doing a ``s.get("pie.dev/get", verify=False)`` does not impact the resolver.
+.. warning:: Doing a ``s.get("https://pie.dev/get", verify=False)`` does not impact the resolver.
 
 -----------------------
 
diff --git a/src/niquests/__init__.py b/src/niquests/__init__.py
index 3b50e4850f..bde00a100c 100644
--- a/src/niquests/__init__.py
+++ b/src/niquests/__init__.py
@@ -54,10 +54,10 @@
 
 # urllib3's DependencyWarnings should be silenced.
 warnings.simplefilter("ignore", DependencyWarning)
-# Some Microsoft root CAs may use a negative serial number. It is known and safe. They know about it.
-warnings.filterwarnings(
-    "ignore", "Parsed a negative serial number", module="cryptography"
-)
+# Commonly happen on Windows due to some legacy root CA in
+# their trust store. They are aware of it, we silent the warning
+# yield by Cryptography to avoid producing undesired noise to end-users.
+warnings.filterwarnings("ignore", "Parsed a negative serial number")
 
 # ruff: noqa: E402
 from . import utils
diff --git a/src/niquests/__version__.py b/src/niquests/__version__.py
index 53bdfd93ca..1ad82c59fc 100644
--- a/src/niquests/__version__.py
+++ b/src/niquests/__version__.py
@@ -9,9 +9,9 @@
 __url__: str = "https://niquests.readthedocs.io"
 
 __version__: str
-__version__ = "3.4.5"
+__version__ = "3.4.6"
 
-__build__: int = 0x030405
+__build__: int = 0x030406
 __author__: str = "Kenneth Reitz"
 __author_email__: str = "me@kennethreitz.org"
 __license__: str = "Apache-2.0"
diff --git a/src/niquests/extensions/_ocsp.py b/src/niquests/extensions/_ocsp.py
index c090d3a78e..da8bd3fb41 100644
--- a/src/niquests/extensions/_ocsp.py
+++ b/src/niquests/extensions/_ocsp.py
@@ -65,7 +65,12 @@ def _infer_issuer_from(certificate: Certificate) -> Certificate | None:
         if isinstance(der_cert, Certificate):
             possible_issuer = der_cert
         else:
-            possible_issuer = load_der_x509_certificate(der_cert)
+            try:
+                possible_issuer = load_der_x509_certificate(der_cert)
+            except (
+                ValueError
+            ):  # Defensive: mitigation against future Cryptography evolutions
+                continue
 
         # detect cryptography old build
         if not hasattr(certificate, "verify_directly_issued_by"):