ASN.1 Universal Tags
Universal-class tag identifiers from ITU-T X.680 — the encoding floor underneath every DER-encoded X.509 certificate, PKCS structure, CMS envelope, FIDO attestation x5c chain, and EMV PKI artefact you will ever parse.
BER · DER · CER — the encoding rules
BER (Basic Encoding Rules)
X.690 §8. The permissive parent. A single ASN.1 value may have multiple BER encodings — indefinite length, primitive or constructed, varying contents bytes. Use BER when you read, never when you write.
DER (Distinguished Encoding Rules)
X.690 §10. The canonical subset of BER. Every value has exactly one encoding: definite length, primitive when allowed, smallest representation. Used by X.509, PKCS, CMS, WebAuthn attestation. Always write DER.
CER (Canonical Encoding Rules)
X.690 §9. A second canonical subset, optimised for streaming over very long values via indefinite-length constructed encoding. Rare outside specific telecom contexts; the modern world is DER.
Tag classes
Universal (00)
Defined in X.680. The 16 universal-class tags below carry built-in types — INTEGER, OCTET STRING, SEQUENCE, etc.
Application (01)
Application-specific tags scoped to a particular protocol or PDU set. EMV uses these heavily.
Context-specific (10)
The most common non-universal class. Disambiguates fields inside a containing structure. [0], [1], [2] … tags inside X.509 extensions are context-specific.
Private (11)
Reserved for enterprise / vendor use. Rarely encountered in interoperable protocols.
The 16 universal tags
Filter below by form — Primitive (value carried directly in the contents octets) vs Constructed (value is a sequence of TLV children). The SEQUENCE and SET tags are always constructed; BIT STRING and OCTET STRING may be either, but DER mandates primitive when length fits.
Companion ASN.1 tooling
Walk a structure
ASN.1 Tree Explorer — collapsible tree walker for any DER blob.
ASN.1 Parser — flat TLV walker with OID lookup.
Certificate-level
X.509 Viewer · Chain Viewer · PKCS#10 CSR Decoder · PFX / PKCS#12 Inspector
Encoding-level
FIDO attestation
Attestation Object Decoder · COSE Key · COSE Algorithms reference
Where ASN.1 shows up
- X.509 v3 certificates — the entire certificate is a DER-encoded
SEQUENCE. Walk one with the X.509 viewer. - PKCS#10 CSRs — certificate signing requests. RFC 2986. Decode with CSR Decoder.
- PKCS#7 / CMS — signed-data and enveloped-data wrappers, also used inside PAdES PDF signatures.
- PKCS#12 / PFX — bundle of cert + key. Mostly DER inside DER. PFX Inspector.
- FIDO / WebAuthn attestation x5c chains — the attestation cert chain is DER. See Understanding WebAuthn attestation.
- EMV PKI — CA public keys, ICC public keys, and PIN-encipherment certificates are ASN.1-encoded.
- JavaCard CAP files — not ASN.1, but the on-card verifier checks the structural shape the same way. CAP Components reference.
Further reading
Specifications
ITU-T X.680 (syntax) · X.690 (BER/DER/CER) · X.691 (PER) · X.693 (XER)