diff --git a/src/test/ruby/test_asn1.rb b/src/test/ruby/test_asn1.rb
index b9b2cf83..a9b4a8e2 100644
--- a/src/test/ruby/test_asn1.rb
+++ b/src/test/ruby/test_asn1.rb
@@ -3,6 +3,194 @@
 
 class TestASN1 < TestCase
 
+  def test_decode_x509_certificate
+    subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA")
+    key = Fixtures.pkey("rsa1024")
+    now = Time.at(Time.now.to_i) # suppress usec
+    s = 0xdeadbeafdeadbeafdeadbeafdeadbeaf
+    exts = [
+      ["basicConstraints","CA:TRUE,pathlen:1",true],
+      ["keyUsage","keyCertSign, cRLSign",true],
+      ["subjectKeyIdentifier","hash",false],
+    ]
+    dgst = OpenSSL::Digest.new('SHA256')
+    cert = issue_cert(subj, key, s, exts, nil, nil, digest: dgst, not_before: now, not_after: now+3600)
+
+
+    asn1 = OpenSSL::ASN1.decode(cert)
+    assert_equal(OpenSSL::ASN1::Sequence, asn1.class)
+    assert_equal(3, asn1.value.size)
+    tbs_cert, sig_alg, sig_val = *asn1.value
+
+    assert_equal(OpenSSL::ASN1::Sequence, tbs_cert.class)
+    assert_equal(8, tbs_cert.value.size)
+
+    version = tbs_cert.value[0]
+    assert_equal(:CONTEXT_SPECIFIC, version.tag_class)
+    assert_equal(0, version.tag)
+    assert_equal(1, version.value.size)
+    assert_equal(OpenSSL::ASN1::Integer, version.value[0].class)
+    assert_equal(2, version.value[0].value)
+
+    serial = tbs_cert.value[1]
+    assert_equal(OpenSSL::ASN1::Integer, serial.class)
+    assert_equal(0xdeadbeafdeadbeafdeadbeafdeadbeaf, serial.value)
+
+    sig = tbs_cert.value[2]
+    assert_equal(OpenSSL::ASN1::Sequence, sig.class)
+    assert_equal(2, sig.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, sig.value[0].class)
+    assert_equal("1.2.840.113549.1.1.11", sig.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Null, sig.value[1].class)
+
+    dn = tbs_cert.value[3] # issuer
+    assert_equal(subj.hash, OpenSSL::X509::Name.new(dn).hash)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.class)
+    assert_equal(3, dn.value.size)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[0].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[1].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[2].class)
+    assert_equal(1, dn.value[0].value.size)
+    assert_equal(1, dn.value[1].value.size)
+    assert_equal(1, dn.value[2].value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[0].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[1].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[2].value[0].class)
+    assert_equal(2, dn.value[0].value[0].value.size)
+    assert_equal(2, dn.value[1].value[0].value.size)
+    assert_equal(2, dn.value[2].value[0].value.size)
+    oid, value = *dn.value[0].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("org", value.value)
+    oid, value = *dn.value[1].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("ruby-lang", value.value)
+    oid, value = *dn.value[2].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("2.5.4.3", oid.oid)
+    assert_equal(OpenSSL::ASN1::UTF8String, value.class)
+    assert_equal("TestCA", value.value)
+
+    validity = tbs_cert.value[4]
+    assert_equal(OpenSSL::ASN1::Sequence, validity.class)
+    assert_equal(2, validity.value.size)
+    assert_equal(OpenSSL::ASN1::UTCTime, validity.value[0].class)
+    assert_equal(now, validity.value[0].value)
+    assert_equal(OpenSSL::ASN1::UTCTime, validity.value[1].class)
+    assert_equal(now+3600, validity.value[1].value)
+
+    dn = tbs_cert.value[5] # subject
+    assert_equal(subj.hash, OpenSSL::X509::Name.new(dn).hash)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.class)
+    assert_equal(3, dn.value.size)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[0].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[1].class)
+    assert_equal(OpenSSL::ASN1::Set, dn.value[2].class)
+    assert_equal(1, dn.value[0].value.size)
+    assert_equal(1, dn.value[1].value.size)
+    assert_equal(1, dn.value[2].value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[0].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[1].value[0].class)
+    assert_equal(OpenSSL::ASN1::Sequence, dn.value[2].value[0].class)
+    assert_equal(2, dn.value[0].value[0].value.size)
+    assert_equal(2, dn.value[1].value[0].value.size)
+    assert_equal(2, dn.value[2].value[0].value.size)
+    oid, value = *dn.value[0].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("org", value.value)
+    oid, value = *dn.value[1].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("0.9.2342.19200300.100.1.25", oid.oid)
+    assert_equal(OpenSSL::ASN1::IA5String, value.class)
+    assert_equal("ruby-lang", value.value)
+    oid, value = *dn.value[2].value[0].value
+    assert_equal(OpenSSL::ASN1::ObjectId, oid.class)
+    assert_equal("2.5.4.3", oid.oid)
+    assert_equal(OpenSSL::ASN1::UTF8String, value.class)
+    assert_equal("TestCA", value.value)
+
+    pkey = tbs_cert.value[6]
+    assert_equal(OpenSSL::ASN1::Sequence, pkey.class)
+    assert_equal(2, pkey.value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, pkey.value[0].class)
+    assert_equal(2, pkey.value[0].value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, pkey.value[0].value[0].class)
+    assert_equal("1.2.840.113549.1.1.1", pkey.value[0].value[0].oid)
+    assert_equal(OpenSSL::ASN1::BitString, pkey.value[1].class)
+    assert_equal(0, pkey.value[1].unused_bits)
+    spkey = OpenSSL::ASN1.decode(pkey.value[1].value)
+    assert_equal(OpenSSL::ASN1::Sequence, spkey.class)
+    assert_equal(2, spkey.value.size)
+    assert_equal(OpenSSL::ASN1::Integer, spkey.value[0].class)
+    assert_equal(cert.public_key.n, spkey.value[0].value)
+    assert_equal(OpenSSL::ASN1::Integer, spkey.value[1].class)
+    assert_equal(cert.public_key.e, spkey.value[1].value)
+
+    extensions = tbs_cert.value[7]
+    assert_equal(:CONTEXT_SPECIFIC, extensions.tag_class)
+    assert_equal(3, extensions.tag)
+    assert_equal(1, extensions.value.size)
+    assert_equal(OpenSSL::ASN1::Sequence, extensions.value[0].class)
+    assert_equal(3, extensions.value[0].value.size)
+
+    ext = extensions.value[0].value[0]  # basicConstraints
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(3, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.19",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Boolean, ext.value[1].class)
+    assert_equal(true, ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[2].class)
+    extv = OpenSSL::ASN1.decode(ext.value[2].value)
+    assert_equal(OpenSSL::ASN1::Sequence, extv.class)
+    assert_equal(2, extv.value.size)
+    assert_equal(OpenSSL::ASN1::Boolean, extv.value[0].class)
+    assert_equal(true, extv.value[0].value)
+    assert_equal(OpenSSL::ASN1::Integer, extv.value[1].class)
+    assert_equal(1, extv.value[1].value)
+
+    ext = extensions.value[0].value[1]  # keyUsage
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(3, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.15",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::Boolean, ext.value[1].class)
+    assert_equal(true, ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[2].class)
+    extv = OpenSSL::ASN1.decode(ext.value[2].value)
+    assert_equal(OpenSSL::ASN1::BitString, extv.class)
+    str = +"\000"; str[0] = 0b00000110.chr
+    assert_equal(str, extv.value)
+
+    ext = extensions.value[0].value[2]  # subjectKeyIdentifier
+    assert_equal(OpenSSL::ASN1::Sequence, ext.class)
+    assert_equal(2, ext.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, ext.value[0].class)
+    assert_equal("2.5.29.14",  ext.value[0].oid)
+    assert_equal(OpenSSL::ASN1::OctetString, ext.value[1].class)
+    extv = OpenSSL::ASN1.decode(ext.value[1].value)
+    assert_equal(OpenSSL::ASN1::OctetString, extv.class)
+    sha1 = OpenSSL::Digest.new('SHA1')
+    sha1.update(pkey.value[1].value)
+    assert_equal(sha1.digest, extv.value)
+
+    assert_equal(OpenSSL::ASN1::Sequence, sig_alg.class)
+    assert_equal(2, sig_alg.value.size)
+    assert_equal(OpenSSL::ASN1::ObjectId, pkey.value[0].value[0].class)
+    assert_equal("1.2.840.113549.1.1.1", pkey.value[0].value[0].oid)
+    assert_equal(OpenSSL::ASN1::Null, pkey.value[0].value[1].class)
+
+    assert_equal(OpenSSL::ASN1::BitString, sig_val.class)
+    cululated_sig = key.sign(OpenSSL::Digest.new('SHA256'), tbs_cert.to_der)
+    assert_equal(cululated_sig, sig_val.value)
+  end
+
   def test_encode_boolean
     encode_decode_test(OpenSSL::ASN1::Boolean, [true, false])
   end