Skip to content

X.509 certificate format

X.509 is a standard format for public key certificates and defines the structure for encoding information in [[PKI]] environments^[600-developer-tools-security-ca.md].

Structure

An X.509 certificate is a digital document that binds a public key to an identity.^[600-developer-tools-security-ca.md] It relies on the Distinguished Name (DN) to identify the entity associated with the certificate.^[600-developer-tools-security-ca.md] This DN structure is composed of several standardized fields that describe the certificate subject or issuer:

  • C (Country Name): A two-letter country code^[600-developer-tools-security-ca.md].
  • ST (State or Province Name): The full name of the state or province^[600-developer-tools-security-ca.md].
  • L (Locality Name): The name of the city or locality^[600-developer-tools-security-ca.md].
  • O (Organization Name): The name of the organization^[600-developer-tools-security-ca.md].
  • OU (Organizational Unit Name): The specific department or section^[600-developer-tools-security-ca.md].
  • CN (Common Name): Typically the server FQDN or the holder's name^[600-developer-tools-security-ca.md].
  • emailAddress: The contact email address^[600-developer-tools-security-ca.md].

Certificate Data Fields

Beyond the identity fields, the format includes specific metadata fields required for the certificate's validity and management:

  • Version: The version of the X.509 standard (e.g., Version 3)^[600-developer-tools-security-ca.md].
  • Serial Number: A unique identifier for the certificate^[600-developer-tools-security-ca.md].
  • Validity Period:
    • Not Before: The start date and time when the certificate becomes valid^[600-developer-tools-security-ca.md].
    • Not After: The expiration date and time^[600-developer-tools-security-ca.md].
  • Issuer: The entity that signed and issued the certificate^[600-developer-tools-security-ca.md].
  • Subject Public Key Info: Contains the public key algorithm (e.g., rsaEncryption) and the public key itself (Modulus and Exponent)^[600-developer-tools-security-ca.md].

Extensions

X.509 v3 supports extensions that provide additional usage constraints and properties.^[600-developer-tools-security-ca.md] Common extensions include:

  • Basic Constraints: Defines if the certificate is a Certificate Authority (CA) and the maximum path length^[600-developer-tools-security-ca.md].
  • Key Usage: A critical field defining the purpose of the key, such as Digital Signature, Certificate Sign, or CRL Sign^[600-developer-tools-security-ca.md].
  • Subject Key Identifier: A unique identifier for the subject's public key^[600-developer-tools-security-ca.md].
  • Authority Key Identifier: Identifies the public key corresponding to the private key used to sign the certificate^[600-developer-tools-security-ca.md].

Encoding

Certificates are commonly encoded in Base-64 and saved with extensions such as .CER or .CRT.^[600-developer-tools-security-ca.md] The openssl command can be used with the -x509 flag to generate a Self-Signed Certificate following this standard^[600-developer-tools-security-ca.md].

Sources

^[600-developer-tools-security-ca.md]