000027096 - How to use underscores in an X.500 name

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000027096
Applies ToRSA BSAFE Cert-J
RSA BSAFE Micro Edition Suite
IssueHow to use underscores in an X.500 name
Underscore not allowed in X.500 name
Trying to create X.500 name in RSA BSAFE Cert-J, but underscore character is rejected

 Certificates with an underscore character in the DN can't be re-encoded as DER

ResolutionTo use the underscore character in a string, tag the string as a character string type that allows/contains the underscore character. Instead of using PrintableString, use UTF8String, which is the preferred encoding. From RFC 3280 (http://www.ietf.org/rfc/rfc3280.txt): Issuer


DirectoryString ::= CHOICE {

   teletexString TeletexString (SIZE (1..MAX)),

   printableString PrintableString (SIZE (1..MAX)),

   universalString UniversalString (SIZE (1..MAX)),

   utf8String UTF8String (SIZE (1..MAX)),

   bmpString BMPString (SIZE (1..MAX)) }


The DirectoryString type is defined as a choice of PrintableString, TeletexString, BMPString, UTF8String, and UniversalString. The UTF8String encoding [RFC 2279] is the preferred encoding, and all certificates issued after December 31, 2003 MUST use the UTF8String encoding of DirectoryString (except as noted below).


Appendix B. ASN.1 Notes

The character string type PrintableString supports a very basic Latin character set: the lower case letters 'a' through 'z', upper case letters 'A' through 'Z', the digits '0' through '9', eleven special characters ' = ( ) + , - . / : ? and space. Implementers should note that the at sign ('@') and underscore ('_') characters are not supported by the ASN.1 type PrintableString.
Legacy Article IDa28063