Cryptography Tutorials - Herong's Tutorial Examples - v5.42, by Herong Yang
X.509 Certificate Standard
This section describes the X.509 certificate standard - An international standard that defines what should be included in a digital certificate.
X.509 is an international standard for what should be included in a digital certificate. Here is the definition from webpedia.com:
A widely used standard for defining digital certificates. X.509 (Version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services standard. When X.509 was revised in 1993, two more fields were added resulting in the Version 2 format. These two additional fields support directory access control. X.509 Version 3 defines the format for certificate extensions used to store additional information regarding the certificate holder and to define certificate usage. Collectively, the term X.509 refers to the latest published version, unless the version number is stated.
X.509 is published as ITU recommendation ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8 which defines a standard certificate format for public key certificates and certification validation. With minor differences in dates and titles, these publications provide identical text in the defining of public-key and attribute certificates.
My understanding of X.509 is that a certificate is required to have the following information:
The content structure of a Version 3 X.509 certificate should look like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 1185572113 (0x46aa6511) Signature Algorithm: dsaWithSHA1 Issuer: C=CA, ST=Herong State, L=Herong City, ... Validity Not Before: Apr 1 21:35:13 2007 GMT Not After : Jun 30 21:35:13 2007 GMT Subject: C=CA, ST=Herong State, L=Herong City, ... Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: 00:b0:61:2b:c1:88:0e:19:66:58:37:b5:... ... P: 00:fd:7f:53:81:1d:75:12:29:52:df:4a:... ... Q: 00:97:60:50:8f:15:23:0b:cc:b2:92:b9:... ... G: 00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:... ... Signature Algorithm: dsaWithSHA1 30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0... ...
X.509 defines how a certificate contents should be written. But it does not define how certificate contents should be encoded to store in files.
Two commonly used encoding schemas are used to store X.509 certificates in files, DER and PEM, as described in next sections.
Table of Contents
Introduction to AES (Advanced Encryption Standard)
DES Algorithm - Illustrated with Java Programs
DES Algorithm Java Implementation
DES Algorithm - Java Implementation in JDK JCE
DES Encryption Operation Modes
PHP Implementation of DES - mcrypt
Blowfish - 8-Byte Block Cipher
Secret Key Generation and Management
Cipher - Secret Key Encryption and Decryption
RSA Implementation using java.math.BigInteger Class
Introduction of DSA (Digital Signature Algorithm)
Java Default Implementation of DSA
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Cipher - Public Key Encryption and Decryption
OpenSSL Introduction and Installation
OpenSSL Generating and Managing RSA Keys
OpenSSL Generating and Signing CSR
OpenSSL Validating Certificate Path
"keytool" and "keystore" from JDK
"OpenSSL" Signing CSR Generated by "keytool"
Migrating Keys from "keystore" to "OpenSSL" Key Files
►Certificate X.509 Standard and DER/PEM Formats
What Is DER (Distinguished Encoding Rules) Encoding?
What Is PEM (Privacy Enhanced Mail) Encoding?
"keytool" Exporting Certificates in DER and PEM
"OpenSSL" Viewing Certificates in DER and PEM
"OpenSSL" Generating Certificates in DER and PEM
"keytool" Viewing Certificates in DER and PEM
"keytool" Importing Certificates in DER and PEM
Migrating Keys from "OpenSSL" Key Files to "keystore"