diff --git a/main.go b/main.go
index 44520e3..f97d873 100644
--- a/main.go
+++ b/main.go
@@ -1930,6 +1930,15 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 				tf.recursivelyRecordAsNotObfuscated(obj.Type())
 				return true
 			}
+		case "crypto/x509/pkix":
+			// For better or worse, encoding/asn1 detects a "SET" suffix on slice type names
+			// to tell whether those slices should be treated as sets or sequences.
+			// Do not obfuscate those names to prevent breaking x509 certificates.
+			// TODO: we can surely do better; ideally propose a non-string-based solution
+			// upstream, or as a fallback, obfuscate to a name ending with "SET".
+			if strings.HasSuffix(name, "SET") {
+				return true
+			}
 		}
 
 		// The package that declared this object did not obfuscate it.
diff --git a/testdata/script/reflect.txtar b/testdata/script/reflect.txtar
index 9af84b2..ec29c88 100644
--- a/testdata/script/reflect.txtar
+++ b/testdata/script/reflect.txtar
@@ -19,8 +19,14 @@ go 1.20
 package main
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
 	"fmt"
+	"math/big"
 	"os"
 	"reflect"
 	"strings"
@@ -107,6 +113,8 @@ func main() {
 	variadic := VariadicReflection{ReflectionField: "variadic"}
 	_ = importedpkg.VariadicReflect("foo", 1, variadic, false)
 	printfWithoutPackage("%#v\n", variadic)
+
+	testx509()
 }
 
 type EmbeddingIndirect struct {
@@ -163,6 +171,30 @@ var _ = func() uintptr {
 	return field.Offset
 }()
 
+// encoding/x509 uses encoding/asn1, which uses reflect.
+// In one place it depends on field names; that used to be broken by garble.
+func testx509() {
+	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{Organization: []string{"Acme Co"}},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = x509.ParseCertificate(derBytes)
+	if err != nil {
+		panic(err)
+	}
+}
+
 
 -- importedpkg/imported.go --
 package importedpkg