X.509 is an ITU - T standard for a public key infrastructure for creating digital certificates. Currently, version 3 ( X.509v3 ).
First time in 1988 X.509 was published. The development of X.509 began in conjunction with the X.500 standard ( which was never fully implemented) and assumes a strict hierarchical system of trusted CAs (English certificate authority CA) that can issue the certificates. This principle is in contrast to web-of -trust model, which is a graph, not just a tree, and at the "sign" each a certificate and thus can certify its authenticity ( see, eg, OpenPGP ).
Version 3 of X.509 ( X.509v3 ) includes the flexibility to be extended with profiles. The IETF developed the main profile, PKIX Certificate and CRL Profile, or " PKIX ", as part of RFC 3280, RFC currently 5280th The term " X.509 certificate " refers mostly to it.
One of a certificate issued digital certificate is always tied to a "Distinguished Name" or " Alternative Name " as an email address or a DNS entry in the X.509 system.
Nearly all Web browsers include a preconfigured list of trusted CAs whose issued SSL certificates trusted by the browser.
X.509 also includes a standard by which certificates from the certification body may be invalidated again when their safety is no longer ensured (eg, after the public announcement of the private keys for signing e- mails). The certification body can this invalid certificates in CRLs ( certificate revocation list, CRL short ) run. Automatic checking whether a certificate is now part of a revocation list, but not in all programs that accept X.509 certificates by default.
Structure of an X -509 v3 certificate
- Certificate version
- Serial number
- Algorithms ID
- Exhibitor Country / Region
- State / Province
- Common name
- Public key algorithm
- Public key of the certificate holder
Publisher and owner ID were introduced in version 2, enhancements in version 3
Extensions or extensions have become a very important part of a certificate. Extensions have the following substructure:
- Extension ID
- Flag (critical / non-critical )
Each extension has a specific ID. The flags are used for the gradual introduction of a new extension. Thus, new extensions at the beginning are marked as critical. An implementation that meets a non-critical extension unknown, can ignore it. If an extension of time, however, set to critical after sufficient testing, so must have a certificate with an unknown critical extension as invalid are considered. Examples of extensions are
- KeyUsage: Specifies the application for which the certificate was issued. A CA certificate must have entered here eg keyCertSign and cRLSign.
- BasicConstraints: Transitivitätsvertrauen is impossible without this extension. BasicConstraints are: CA: Indicates whether the certificate belongs to a CA. In a certificate chain must each certificate, except the last instance ( the user / server ), be marked as CA.
- Pathlen: Specifies how long the certificate chain must be maximal.
File name extensions for certificates
Common file name extensions for X.509 certificates are:
- . CER - DER or Base64 - encoded certificate
- . CRT - DER or Base64 - encoded certificate
- . CSR - Base64 -encoded certificate request the public key ( plus additional metadata of the owner ) to a CA, surrounded by "----- BEGIN CERTIFICATE REQUEST ----- " and " ----- END CERTIFICATE REQUEST - --- "
- . DER - DER-encoded certificate
- . P12 - PKCS # 12, can contain public certificate and private key (password - protected).
- . P7B - See p7c.
- . P7C - PKCS # 7 signed data structure without data content, only with certificate (s) or certificate revocation list (s)
- . PEM - Base64 - encoded certificate, enclosed by "----- BEGIN CERTIFICATE ----- " and " ----- END CERTIFICATE ----- "
- . PFX - See p12.
PKCS # 7 is a standard for signing and encrypting data. As the certificate is used to verify the signed data, it can be accommodated in the " SignedData " structure. A. P7c file is the special case of a file that does not contain data for signing, but only the " SignedData " structure.
PKCS # 12 evolved from the PFX ( Personal Information Exchange ) standard and is used to exchange public and private keys in a common file.
A. PEM file can contain certificates and / or private keys, which are enclosed by corresponding BEGIN / END lines.
Example of an X.509 certificate
Text representation of a constructed X.509v3 (Version 3) digital certificate. ( The structure is based on ASN.1. ):
Certificate: Data: Version: 3 ( 0x2 ) Serial Number: 1 ( 0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C = AT, ST = Styria, Graz L =, O = TrustMe Ltd., OU = Certificate Authority, CN = CA / Email = [email protected] Validity Not Before: Oct 29 17:39:10 GMT 2000 Not After: Oct 29 17:39:10 GMT 2001 Subject: C = AT, ST = Vienna, L = Vienna, O = Home, OU = Web Lab, CN = anywhere.com / Email = [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00: c4: 40:4 c: 6e: 14:1 b: 61:36:84:24: b2: 61: c0: b5: d7: e4: 7a: a5: 4b: 94: ef: d9: 5e: 43:7 f: c1: 64:80: fd: 9f: 50:41:6 b: 70:73:80:48:90: f3: 58: bf: f0: 4c: b9: 90:32:81:59:18:16:3 f: 19: f4: 5f: 11:68:36:85: f6: 1c: a9: af: fa: a9: a8: 7b: 44:85:79: b5: f1: 20: d3: 25: 7d: 1c: de: 68:15:0 c: b6: bc: 59:46:0 a: d8: 99:4 e: 07: 50:0 a: 5d: 83:61: d4: db: c9: 7d: c3: 2e: eb: 0a: 8f: 62: 8f: 7e: 00: e1: 37:67:3 f: 36: d5: 04:38:44:44:77: e9: f0: b4: 95: f5: f9: 34:9 f: f8: 43 Exponent: 65537 ( 0x10001 ) X509v3 extensions: X509v3 Subject Alternative Name: email: [email protected] Netscape Comment: mod_ssl generated test server certificate Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption 12: ed: f7: b3: 5e: a0: 93:3 f: a0: 1d: 60: cb: 47:19:7 d: 15:59:9 b: 3b: 2c: a8: a3: 6a: 03:43: d0: 85: d3: 86:86:2 f: e3: aa: 79:39: e7: 82:20: ed: f4: 11:85: a3: 41:5 e: 5c: 8d: 36: a2: 71: b6: 6a: 08: f9: cc: 1e: da: c4: 78:05:75:8 f: 9b: 10: f0: 15: f0: 9e: 67: a0: 4e: a1: 4d: 3f: 16:4 c: 9b: 19:56:6 a: f2: af: 89:54:52:4 a: 06:34:42:0 d: d5: 40:25:6 b: b0: c0: a2: 03:18: cd: d1: 07:20: b6: e5: c5: 1e: 21: 44: e7: c5: 09: d2: d5: 94:9 d: 6c: 13:07:2 f: 3b: 7c: 4c: 64:90: bf: ff: 8e literature
- X.509 Information technology - Open Systems Interconnection - The Directory: Public -key and attribute certificate frameworks