X.509 Public Key Certificates
Public key cryptography relies on a public and private key pair to encrypt and decrypt content. The keys are mathematically related, and content encrypted by using one of the keys can only be decrypted by using the other. The private key is kept secret. The public key is typically embedded in a binary certificate, and the certificate is published to a database that can be reached by all authorized users.
The X.509 public key infrastructure (PKI) standard identifies the requirements for robust public key certificates. A certificate is a signed data structure that binds a public key to a person, computer, or organization. Certificates are issued by certification authorities (CAs). All who are party to secure communications that make use of a public key rely on the CA to adequately verify the identities of the individuals, systems, or entities to which it issues certificates. The level of verification typically depends on the level of security required for the transaction. If the CA can suitably verify the identity of the requester, it signs (encrypts), encodes, and issues the certificate.
A certificate is a signed data structure that binds a public key to an entity. The Abstract Syntax Notation One (ASN.1) syntax for the version 3 X.509 certificate is shown in the following example.
-- X.509 signed certificate
SignedContent ::= SEQUENCE
{
certificate CertificateToBeSigned,
algorithm Object Identifier,
signature BITSTRING
}
-- X.509 certificate to be signed
CertificateToBeSigned ::= SEQUENCE
{
version [0] CertificateVersion DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name
validity Validity,
subject Name
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] Extensions OPTIONAL
}
Since its inception in 1998, three versions of the X.509 public key certificate standard have evolved. As shown by the following illustration, each successive version of the data structure has retained the fields that existed in the previous versions and added more.
The following topics discuss the available fields in more detail:
Related topics