X.509 Certificate Standard

Cryptography Tutorials - Herong's Tutorial Examples

∟Certificate X.509 Standard and DER/PEM Formats

∟X.509 Certificate Standard

This section describes the X.509 certificate standard - An international standard that defines what should be included in a digital certificate.

X.509 is an international standard for what should be included in a digital certificate. Here is the definition from webpedia.com:

A widely used standard for defining digital certificates. X.509 (Version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services standard. When X.509 was revised in 1993, two more fields were added resulting in the Version 2 format. These two additional fields support directory access control. X.509 Version 3 defines the format for certificate extensions used to store additional information regarding the certificate holder and to define certificate usage. Collectively, the term X.509 refers to the latest published version, unless the version number is stated.

X.509 is published as ITU recommendation ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8 which defines a standard certificate format for public key certificates and certification validation. With minor differences in dates and titles, these publications provide identical text in the defining of public-key and attribute certificates.

My understanding of X.509 is that a certificate is required to have the following information:

Version - X.509 standard version number.
Serial Number - A sequence number given to each certificate.
Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
Issuer Name - Name of the issuer.
Validity Period - Period during which this certificate is valid.
Subject Name - Name of the owner of the public key.
Subject Public Key Information - The public key and its related information.

The content structure of a Version 3 X.509 certificate should look like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1185572113 (0x46aa6511)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=CA, ST=Herong State, L=Herong City, ... 
        Validity
            Not Before: Apr 1 21:35:13 2007 GMT
            Not After : Jun 30 21:35:13 2007 GMT
        Subject: C=CA, ST=Herong State, L=Herong City, ... 
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub:
                    00:b0:61:2b:c1:88:0e:19:66:58:37:b5:...
                    ...
                P:
                    00:fd:7f:53:81:1d:75:12:29:52:df:4a:...
                    ...
                Q:
                    00:97:60:50:8f:15:23:0b:cc:b2:92:b9:...
                    ...
                G:
                    00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:...
                    ...
   Signature Algorithm: dsaWithSHA1
       30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0...
       ...