X.509 is an ITU - T standard for a public key infrastructure for creating digital certificates. Currently, version 3 ( X.509v3 ).


First time in 1988 X.509 was published. The development of X.509 began in conjunction with the X.500 standard ( which was never fully implemented) and assumes a strict hierarchical system of trusted CAs (English certificate authority CA) that can issue the certificates. This principle is in contrast to web-of -trust model, which is a graph, not just a tree, and at the "sign" each a certificate and thus can certify its authenticity ( see, eg, OpenPGP ).

Version 3 of X.509 ( X.509v3 ) includes the flexibility to be extended with profiles. The IETF developed the main profile, PKIX Certificate and CRL Profile, or " PKIX ", as part of RFC 3280, RFC currently 5280th The term " X.509 certificate " refers mostly to it.


One of a certificate issued digital certificate is always tied to a "Distinguished Name" or " Alternative Name " as an email address or a DNS entry in the X.509 system.

Nearly all Web browsers include a preconfigured list of trusted CAs whose issued SSL certificates trusted by the browser.

X.509 also includes a standard by which certificates from the certification body may be invalidated again when their safety is no longer ensured (eg, after the public announcement of the private keys for signing e- mails). The certification body can this invalid certificates in CRLs ( certificate revocation list, CRL short ) run. Automatic checking whether a certificate is now part of a revocation list, but not in all programs that accept X.509 certificates by default.

Structure of an X -509 v3 certificate

  • Certificate version
  • Serial number
  • Algorithms ID
  • Exhibitor Country / Region
  • State / Province
  • Place
  • OU
  • Organization
  • Common name
  • Of
  • To
  • Public key algorithm
  • Public key of the certificate holder
  • ...

Publisher and owner ID were introduced in version 2, enhancements in version 3


Extensions or extensions have become a very important part of a certificate. Extensions have the following substructure:

  • Extension ID
  • Flag (critical / non-critical )
  • Value

Each extension has a specific ID. The flags are used for the gradual introduction of a new extension. Thus, new extensions at the beginning are marked as critical. An implementation that meets a non-critical extension unknown, can ignore it. If an extension of time, however, set to critical after sufficient testing, so must have a certificate with an unknown critical extension as invalid are considered. Examples of extensions are

  • KeyUsage: Specifies the application for which the certificate was issued. A CA certificate must have entered here eg keyCertSign and cRLSign.
  • BasicConstraints: Transitivitätsvertrauen is impossible without this extension. BasicConstraints are: CA: Indicates whether the certificate belongs to a CA. In a certificate chain must each certificate, except the last instance ( the user / server ), be marked as CA.
  • Pathlen: Specifies how long the certificate chain must be maximal.

File name extensions for certificates

Common file name extensions for X.509 certificates are:

  • . CER - DER or Base64 - encoded certificate
  • . CRT - DER or Base64 - encoded certificate
  • . CSR - Base64 -encoded certificate request the public key ( plus additional metadata of the owner ) to a CA, surrounded by "----- BEGIN CERTIFICATE REQUEST ----- " and " ----- END CERTIFICATE REQUEST - --- "
  • . DER - DER-encoded certificate
  • . P12 - PKCS # 12, can contain public certificate and private key (password - protected).
  • . P7B - See p7c.
  • . P7C - PKCS # 7 signed data structure without data content, only with certificate (s) or certificate revocation list (s)
  • . PEM - Base64 - encoded certificate, enclosed by "----- BEGIN CERTIFICATE ----- " and " ----- END CERTIFICATE ----- "
  • . PFX - See p12.

PKCS # 7 is a standard for signing and encrypting data. As the certificate is used to verify the signed data, it can be accommodated in the " SignedData " structure. A. P7c file is the special case of a file that does not contain data for signing, but only the " SignedData " structure.

PKCS # 12 evolved from the PFX ( Personal Information Exchange ) standard and is used to exchange public and private keys in a common file.

A. PEM file can contain certificates and / or private keys, which are enclosed by corresponding BEGIN / END lines.

Example of an X.509 certificate

Text representation of a constructed X.509v3 (Version 3) digital certificate. ( The structure is based on ASN.1. ):

Certificate:      Data:          Version: 3 ( 0x2 )          Serial Number: 1 ( 0x1)          Signature Algorithm: md5WithRSAEncryption          Issuer: C = AT, ST = Styria, Graz L =, O = TrustMe Ltd., OU = Certificate Authority, CN = CA / Email = [email protected]          Validity              Not Before: Oct 29 17:39:10 GMT 2000              Not After: Oct 29 17:39:10 GMT 2001          Subject: C = AT, ST = Vienna, L = Vienna, O = Home, OU = Web Lab, CN = anywhere.com / Email = [email protected]          Subject Public Key Info:              Public Key Algorithm: rsaEncryption              RSA Public Key: (1024 bit)                  Modulus (1024 bit):                      00: c4: 40:4 c: 6e: 14:1 b: 61:36:84:24: b2: 61: c0: b5:                      d7: e4: 7a: a5: 4b: 94: ef: d9: 5e: 43:7 f: c1: 64:80: fd:                      9f: 50:41:6 b: 70:73:80:48:90: f3: 58: bf: f0: 4c: b9:                      90:32:81:59:18:16:3 f: 19: f4: 5f: 11:68:36:85: f6:                      1c: a9: af: fa: a9: a8: 7b: 44:85:79: b5: f1: 20: d3: 25:                      7d: 1c: de: 68:15:0 ​​c: b6: bc: 59:46:0 a: d8: 99:4 e: 07:                      50:0 a: 5d: 83:61: d4: db: c9: 7d: c3: 2e: eb: 0a: 8f: 62:                      8f: 7e: 00: e1: 37:67:3 f: 36: d5: 04:38:44:44:77: e9:                      f0: b4: 95: f5: f9: 34:9 f: f8: 43                  Exponent: 65537 ( 0x10001 )          X509v3 extensions:              X509v3 Subject Alternative Name:                  email: [email protected]              Netscape Comment:                  mod_ssl generated test server certificate              Netscape Cert Type:                  SSL Server      Signature Algorithm: md5WithRSAEncryption          12: ed: f7: b3: 5e: a0: 93:3 f: a0: 1d: 60: cb: 47:19:7 d: 15:59:9 b:          3b: 2c: a8: a3: 6a: 03:43: d0: 85: d3: 86:86:2 f: e3: aa: 79:39: e7:          82:20: ed: f4: 11:85: a3: 41:5 e: 5c: 8d: 36: a2: 71: b6: 6a: 08: f9:          cc: 1e: da: c4: 78:05:75:8 f: 9b: 10: f0: 15: f0: 9e: 67: a0: 4e: a1:          4d: 3f: 16:4 c: 9b: 19:56:6 a: f2: af: 89:54:52:4 a: 06:34:42:0 d:          d5: 40:25:6 b: b0: c0: a2: 03:18: cd: d1: 07:20: b6: e5: c5: 1e: 21:          44: e7: c5: 09: d2: d5: 94:9 d: 6c: 13:07:2 f: 3b: 7c: 4c: 64:90: bf:          ff: 8e literature

  • X.509 Information technology - Open Systems Interconnection - The Directory: Public -key and attribute certificate frameworks