What is an x.509 Digital Certificate Structure
March 7, 2010|
X.509 certificates have the following fields. |
|
| Version | x.509 version: 0=v1, 1=v2, 2=v3 |
| serialNumber | Controlled by CA, assigned to each cert |
| signature algorithm | OID of the algorithm used for digital signature |
| issuer name | Ex “sha1WithRSAEncryption” or “dsa-with-sha1” |
| validity period | x.500 Distinguished Name (DN) of the CA |
| subject name | Expiration date |
| subjectPublicKeyInfo | DN of subject for whom certificate was issued |
| Algorigthm ID and subject public key. | |
| 1.2.840.113549.1.1.1 (rsaEncryption), | |
| 1.2.840.10040.4.1 (dsa), or | |
| 1.2.840.10045.2.1 (ecdsa) are acceptable | |
| issuer unique id | Unique ID of each CA (version 2 and 3 only) |
| subject unique id | Unique ID for whom the certificate was issued (version 2 and 3 only) |
| extensions | See below (version 3 only) |
| digital signature of above | The digital signature of all the above info signed by CA. |
| Optionally: | |
| X.509 v3 certificates have certificate extensions to provide additional information | |
| authorityKeyIdentifier | Identifies the public key used to verify signature |
| subjectKeyIdentifier | Identifies the public key being certified |
| keyUsage | Indicates purposes for key usage. |
| Ex “digitalSignature”, “nonRepudiation”, “encipherOnly” | |
| extKeyUsage | Indicates additional key usage |
| Ex “id-kp-clientAuth”, “id-kp-emailProtection” | |
| privateKeyUsagePeriod | Period of use of private key corresponding to public key |
| certificatePolicies | Policies that certificate expressly supports. |
| policyMappings | In CA certificates only |
| privateVersInfo | Indicates the version of CA software and flags if user key update is allowed. |
| subjectAltName | Provides one or more names that are bound to the public key |
| issuerAltName | In form other than DN of the cert issuer |
| subjectDirecotryAttr | Convey any desired attributes. |
| basicConstraints | Subject may act as a CA, and what the path length may be. |
| nameConstraints | Cross-certificates only. |
| PolicyConstraints | Identify constraints with require explicit policy ident. |
| cRLDistributionPoints | Where to find CRL to ascertain if cert has been revoked. |
| authorityInfoAccess | How to access CA info and services. |
The initial version of X.509 was published in 1988, version 2 was published in 1993, and version 3 was proposed in 1994 and considered for approval in 1995. Version 3 addresses some of the security concerns and limited flexibility that were issues in versions 1 and 2