Package: xca Version: 1.3.2-2 Apparently xca uses PRINTABLESTRING as a DirectoryString on creating certificates by default, ignoring the "MUST" in RFC 2459:
"The UTF8String encoding is the preferred encoding, and all certificates issued after December 31, 2003 MUST use the UTF8String encoding of DirectoryString (except as noted below)." I created a sample certificate with xca to show: % openssl asn1parse -in sample.crt 0:d=0 hl=4 l= 901 cons: SEQUENCE 4:d=1 hl=4 l= 621 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 29:d=3 hl=2 l= 0 prim: NULL 31:d=2 hl=3 l= 133 cons: SEQUENCE 34:d=3 hl=2 l= 11 cons: SET 36:d=4 hl=2 l= 9 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT :countryName 43:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE 47:d=3 hl=2 l= 15 cons: SET 49:d=4 hl=2 l= 13 cons: SEQUENCE 51:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 56:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 64:d=3 hl=2 l= 15 cons: SET 66:d=4 hl=2 l= 13 cons: SEQUENCE 68:d=5 hl=2 l= 3 prim: OBJECT :localityName 73:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 81:d=3 hl=2 l= 15 cons: SET 83:d=4 hl=2 l= 13 cons: SEQUENCE 85:d=5 hl=2 l= 3 prim: OBJECT :organizationName 90:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 98:d=3 hl=2 l= 15 cons: SET 100:d=4 hl=2 l= 13 cons: SEQUENCE 102:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 107:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 115:d=3 hl=2 l= 15 cons: SET 117:d=4 hl=2 l= 13 cons: SEQUENCE 119:d=5 hl=2 l= 3 prim: OBJECT :commonName 124:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 132:d=3 hl=2 l= 33 cons: SET 134:d=4 hl=2 l= 31 cons: SEQUENCE 136:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 147:d=5 hl=2 l= 18 prim: IA5STRING :sam...@example.com 167:d=2 hl=2 l= 30 cons: SEQUENCE 169:d=3 hl=2 l= 13 prim: UTCTIME :170526140200Z 184:d=3 hl=2 l= 13 prim: UTCTIME :180526140200Z 199:d=2 hl=3 l= 133 cons: SEQUENCE 202:d=3 hl=2 l= 11 cons: SET 204:d=4 hl=2 l= 9 cons: SEQUENCE 206:d=5 hl=2 l= 3 prim: OBJECT :countryName 211:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE 215:d=3 hl=2 l= 15 cons: SET 217:d=4 hl=2 l= 13 cons: SEQUENCE 219:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 224:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 232:d=3 hl=2 l= 15 cons: SET 234:d=4 hl=2 l= 13 cons: SEQUENCE 236:d=5 hl=2 l= 3 prim: OBJECT :localityName 241:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 249:d=3 hl=2 l= 15 cons: SET 251:d=4 hl=2 l= 13 cons: SEQUENCE 253:d=5 hl=2 l= 3 prim: OBJECT :organizationName 258:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 266:d=3 hl=2 l= 15 cons: SET 268:d=4 hl=2 l= 13 cons: SEQUENCE 270:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 275:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 283:d=3 hl=2 l= 15 cons: SET 285:d=4 hl=2 l= 13 cons: SEQUENCE 287:d=5 hl=2 l= 3 prim: OBJECT :commonName 292:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample 300:d=3 hl=2 l= 33 cons: SET 302:d=4 hl=2 l= 31 cons: SEQUENCE 304:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 315:d=5 hl=2 l= 18 prim: IA5STRING :sam...@example.com 335:d=2 hl=4 l= 290 cons: SEQUENCE 339:d=3 hl=2 l= 13 cons: SEQUENCE 341:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 352:d=4 hl=2 l= 0 prim: NULL 354:d=3 hl=4 l= 271 prim: BIT STRING 629:d=1 hl=2 l= 13 cons: SEQUENCE 631:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 642:d=2 hl=2 l= 0 prim: NULL 644:d=1 hl=4 l= 257 prim: BIT STRING This affects signing certificate requests, for example. Using the option "match" a PRINTABLESTRING doesn't match an UTF8STRING, even if they look the same. Of course UTF8-only can be set in the options, but IMHO xca should create valid certificates by default. Regards Harri