User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:188.8.131.52) Gecko/2008102920 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:184.108.40.206) Gecko/2008102920 Firefox/3.0.4 I have created a X.509 v3 client certificate using OpenSSL. The CN and OU field contain UTF8 characters, in this case Thai characters for testing purposes. When I import this certificate into the Windows certificate store it shows all fields correctly, ie I can actually see the Thai characters I used. However when I import the certificate into Firefox (3.04) and view the certificate subject from Firefox (tools->options->advanced->view certificates->view->details) then the UTF8 characters are not shown correctly. Result: http://www.vandersman.org/certstore.PNG Serverside the certificate subject is interpreted correctly for authentication purposes, when I use Firefox to go to a server to authenticate against. The used certificate in DER and PEM file format can be found here: www.boraxx.nl/Mozilla/Thai.der www.boraxx.nl/Mozilla/Thai.crt The required CA chain can be found here: www.boraxx.nl/Mozilla/ChainUCAcert.pem Reproducible: Always Steps to Reproduce: 1. Create a certificate using Thai characters using the Open SSL libs 2. Import the certificate into the browser Actual Results: http://www.vandersman.org/certstore.PNG Additional information can be found here: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/5656b0d3fd765547 Likely ties to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=234856
In many cases we've found that the strings aren't being properly identified in the certificate as UTF8 strings, but whether this is our bug or not, I'll move it to the component that tracks this UI.
so. for the time being, i'km going to resolve this as invalid. you've removed the chain (which is unfortunate) and nelson indicates in the thread: > The CN and OU attributes in that cert, which (as I understand it) you > have said are UTF8 strings, are not encoded as UTF8 strings. That is, > the DER encoding in the certificate does not say they are UTF8 strings. > It says they are Teletex strings. This is an improper encoding for > UTF8 strings. I believe it's our expectation that a proper CA would not sign such an invalid Certificate. note that we kindly request that you attach the relevant files to bugzilla so that they are available later (to avoid the problem of a file such as http://www.boraxx.nl/Mozilla/ChainUCAcert.pem being missing).