RE: Sample certificate sites

[Mark Bartel <mbartel@xxxxxxxxxxxx>]

Well, I've gotten lots of pointers to various places to get sample certificates, and have run a lot of them through my code (successfully).  Unfortunately, I still couldn't find any with UniversalString values.  The closest I came was managing to get the demo at http://www.xcert.com to generate certificates containing TeletexString values; Verisign won't even do that. 

And I've tried importing my certificates into MS Internet Explorer 3.01, and the UniversalString certificates do not work (MSIE can't display them).  Peter (Gutmann), you said (in your X.509 style guide) that Microsoft generates certificates with UniversalString values, so presumably MSIE will read such and I must assume that I've done something wrong.  I had figured that if Microsoft had a product that generated such certificates, it would be easy to find examples, but I've failed to dig any up.

>From X.690:
8.20.7 For the "UniversalString" type, the octet string shall contain the octets specified in ISO/IEC 10646-1, using the 4-octet canonical form (see 14.2 of ISO/IEC 10646-1).  Control functions and signatures shall not be used.

Does anybody know what this means?  Could someone quote the above section 14.2?  I've assumed that 4-octet canonical form means 4-bytes, big endian, per character, but that's just a guess.  I'm hoping that MSIE just doesn't work with UniversalString.

As an example, I'd encode "AB" as

	1C 08 00 00 00 41 00 00 00 42

 (I also tried running my UniversalString certificates through a few other programs; SSLeay identified the UniversalString values but didn't try to parse them, and Certificate Viewer couldn't read the certificate at all.  I couldn't figure out how to get Netscape to look at the certificates as such.)

- Mark Bartel