Fooling Go's X.509 Certificate Verification
Summary
A detailed look at why two seemingly identical CA certificates can fail in Go's x509 verification due to ASN.1 string encoding differences (UTF8String vs PrintableString). The post walks through code-level debugging, explains how Go's certificate pool matches based on raw Subject/Issuer bytes, and highlights practical risks for PKI tooling and outages when certificate generation encodes strings differently.