UTF-8 encoding in distinguished names

If the PKI_X509_UTF8 flag is specified in nOptions, all new DN attribute strings will be encoded as UTF8String. According to Section 4.1.2.4 of [PKIX], UTF-8 encoding is now mandatory for all new certificates issued under that profile after 31 December 2003 (yeah, sure!).

If the UTF-8 flag is set and the value contains only valid UTF-8 characters, then the string will be copied directly. Otherwise the input is assumed to be 8-bit Latin-1 and will be converted to UTF-8 accordingly, with each 8-bit character being converted to two UTF-8 bytes.

Entering hexadecimal-encoded values

[New in Version 3.1] As an alternative, you can enter the value as a hexadecimal-encoded string if the value is preceded by #x.

Examples:

The last example gives two CJK ideographs, U+5927 (da) and U+536B (wei). See the second example in X509_MakeCertSelf.

Note that the entire value must be preceded by the two characters "#" (number sign, hash sign) and "x" (lower-case letter X). The remainder of the value must consist only of valid hexadecimal characters [0-9A-Fa-f]. Note, too, that the hex digits are not case sensitive, but the "x" is. If you actually want to enter a value string that begins with "#x", then enter as "##x"; e.g. "OU=##xabc" will produce the OU value "#xabc".

Profile limits are not enforced

Various profiles (e.g. PKIX) set limits on the maximum length of the attribute values, e.g. the maximum length of the country code "C" is two characters. We do not enforce these limits. We also do not enforce the strict choices about the string encoding types - if you pass a character that does not fit in the "correct" encoding for the attribute, we'll kludge it into the most appropriate one. In other words, we'll put any old cr*p that you pass into the certificate distinguished name (see AOC policy).