How can I check if a x509 certificate is well formed?

Question

If openssl (e.g. x509 or s_client) thinks a DER encoded x509 self-signed certificate is well formed, can I definitively say that the certificate is well formed? For instance, openssl is able to load the certificate but a widely used closed source framework does not.

Thanks.

Answer 1

In general, yes, if OpenSSL can load it, than most likely there are no inherent problems with the format. However, some libraries and applications don't handle ASN.1 (DER) tags with undefined length. This is the most likely case with your certificate.