diff --git a/ChangeLog b/ChangeLog
index 99bdf39f7..d5e9a1377 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@ Bugfix
      produced by some optimizing compilers, showing up as failures in
      e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
      by Aurelien Jarno and submitted by Jeffrey Martin.
+   * Fix signed-to-unsigned integer conversion warning
+     in X.509 module. Fixes #2212.
 
 = mbed TLS 2.16.0 branch released 2018-12-21
 
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 76558342e..325bbc0b1 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -368,7 +368,7 @@ static void x509_crt_verify_chain_reset(
     for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
     {
         ver_chain->items[i].crt = NULL;
-        ver_chain->items[i].flags = -1;
+        ver_chain->items[i].flags = (uint32_t) -1;
     }
 
     ver_chain->len = 0;