diff --git a/ChangeLog b/ChangeLog
index eeb91bc0f..f949672c7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2006-07-03  Werner Koch  <wk@g10code.com>
+
+	* configure.ac: Test for ksba_dn_teststr. 
+
 2006-06-30  Werner Koch  <wk@g10code.com>
 
 	* keyserver/: New.  Taken from 1.4.4
diff --git a/TODO b/TODO
index 672fab9a7..4970a8ab6 100644
--- a/TODO
+++ b/TODO
@@ -13,10 +13,6 @@ We should always use valid S-Exp and not just parts.
 might want to have an agent context for each service request
 (i.e. Assuan context).
 
-* sm/certreqgen.c
-** Improve error reporting
-** Do some basic checks on the supplied DNs
-
 * sm/certchain.c
 ** When a certificate chain was sucessfully verified, make ephemeral certs used  in this chain permanent.
 ** Try to keep certificate references somewhere
diff --git a/configure.ac b/configure.ac
index 03d8809b9..2bb1d3fe9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -512,6 +512,11 @@ AM_PATH_LIBASSUAN("$NEED_LIBASSUAN_VERSION",
 # libksba is our X.509 support library
 #
 AM_PATH_KSBA("$NEED_KSBA_VERSION",have_ksba=yes,have_ksba=no)
+# fixme: Remove the following test and require newer libksba instead.
+_ksba_save_libs=$LIBS
+LIBS=$KSBA_LIBS
+AC_CHECK_FUNCS(ksba_dn_teststr)
+LIBS=$_ksba_save_libs
 
 #
 # libusb allows us to use the integrated CCID smartcard reader driver.
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 97fa8cd89..55a539ad6 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,8 @@
+2006-07-03  Werner Koch  <wk@g10code.com>
+
+	* certreqgen.c (proc_parameters): Print the component label of a
+	faulty DN.
+
 2006-06-26  Werner Koch  <wk@g10code.com>
 
 	* certdump.c (gpgsm_cert_log_name): New.
diff --git a/sm/certreqgen.c b/sm/certreqgen.c
index 744969719..205ca0e40 100644
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@@ -441,6 +441,7 @@ static int
 proc_parameters (ctrl_t ctrl,
                  struct para_data_s *para, struct reqgen_ctrl_s *outctrl)
 {
+  gpg_error_t err;
   struct para_data_s *r;
   const char *s;
   int i;
@@ -450,8 +451,9 @@ proc_parameters (ctrl_t ctrl,
   int rc;
   ksba_sexp_t public;
   int seq;
-  
-  /* check that we have all required parameters */
+  size_t erroff, errlen;
+
+  /* Check that we have all required parameters; */
   assert (get_parameter (para, pKEYTYPE, 0));
 
   /* We can only use RSA for now.  There is a with pkcs-10 on how to
@@ -483,17 +485,31 @@ proc_parameters (ctrl_t ctrl,
   if (parse_parameter_usage (para, pKEYUSAGE))
     return gpg_error (GPG_ERR_INV_PARAMETER);
 
-  /* check that there is a subject name and that this DN fits our
-     requirements */
+  /* Check that there is a subject name and that this DN fits our
+     requirements. */
   if (!(s=get_parameter_value (para, pNAMEDN, 0)))
     {
-      r = get_parameter (para, pKEYTYPE, 0);
+      r = get_parameter (para, pNAMEDN, 0);
       log_error (_("line %d: no subject name given\n"), r->lnr);
       return gpg_error (GPG_ERR_INV_PARAMETER);
     }
-  /* fixme check s */
+#if HAVE_KSBA_DN_TESTSTR
+  err = ksba_dn_teststr (s, 0, &erroff, &errlen);
+  if (err)
+    {
+      r = get_parameter (para, pNAMEDN, 0);
+      if (gpg_err_code (err) == GPG_ERR_UNKNOWN_NAME)
+        log_error (_("line %d: invalid subject name label `%.*s'\n"),
+                   r->lnr, (int)errlen, s+erroff);
+      else
+        log_error (_("line %d: invalid subject name `%s' at pos %d\n"),
+                   r->lnr, s, erroff);
 
-  /* check that the optional email address is okay */
+      return gpg_error (GPG_ERR_INV_PARAMETER);
+    }
+#endif /*HAVE_KSBA_DN_TESTSTR*/
+
+  /* Check that the optional email address is okay. */
   for (seq=0; (s=get_parameter_value (para, pNAMEEMAIL, seq)); seq++)
     { 
       if (has_invalid_email_chars (s)