Cryptography Tutorials - Herong's Tutorial Examples - Version 5.21, by Dr. Herong Yang

X.509 Certificate Standard

This section describes the X.509 certificate standard - An international standard that defines what should be included in a digital certificate.

X.509 is an international standard for what should be included in a digital certificate. Here is the definition from webpedia.com:

A widely used standard for defining digital certificates. X.509 (Version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services standard. When X.509 was revised in 1993, two more fields were added resulting in the Version 2 format. These two additional fields support directory access control. X.509 Version 3 defines the format for certificate extensions used to store additional information regarding the certificate holder and to define certificate usage. Collectively, the term X.509 refers to the latest published version, unless the version number is stated.

X.509 is published as ITU recommendation ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8 which defines a standard certificate format for public key certificates and certification validation. With minor differences in dates and titles, these publications provide identical text in the defining of public-key and attribute certificates.

My understanding of X.509 is that a certificate is required to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information.

The content structure of a Version 3 X.509 certificate should look like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1185572113 (0x46aa6511)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=CA, ST=Herong State, L=Herong City, ... 
        Validity
            Not Before: Apr 1 21:35:13 2007 GMT
            Not After : Jun 30 21:35:13 2007 GMT
        Subject: C=CA, ST=Herong State, L=Herong City, ... 
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub:
                    00:b0:61:2b:c1:88:0e:19:66:58:37:b5:...
                    ...
                P:
                    00:fd:7f:53:81:1d:75:12:29:52:df:4a:...
                    ...
                Q:
                    00:97:60:50:8f:15:23:0b:cc:b2:92:b9:...
                    ...
                G:
                    00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:...
                    ...
   Signature Algorithm: dsaWithSHA1
       30:2c:02:14:6c:21:f3:43:b5:4f:d5:3d:2e:23:89:45:0...
       ...

X.509 defines how a certificate contents should be written. But it does not define how certificate contents should be encoded to store in files.

Two commonly used encoding schemas are used to store X.509 certificates in files, DER and PEM, as described in next sections.

Last update: 2013.

Table of Contents

 About This Book

 Cryptography Terminology

 Cryptography Basic Concepts

 Introduction to DES Algorithm

 DES Algorithm - Illustrated with Java Programs

 DES Algorithm Java Implementation

 DES Algorithm - Java Implementation in JDK JCE

 DES Encryption Operation Modes

 DES in Stream Cipher Modes

 PHP Implementation of DES - mcrypt

 Blowfish - 8-Byte Block Cipher

 Secret Key Generation and Management

 Cipher - Secret Key Encryption and Decryption

 Introduction of RSA Algorithm

 RSA Implementation using java.math.BigInteger Class

 Introduction of DSA (Digital Signature Algorithm)

 Java Default Implementation of DSA

 Private key and Public Key Pair Generation

 PKCS#8/X.509 Private/Public Encoding Standards

 Cipher - Public Key Encryption and Decryption

 MD5 Mesasge Digest Algorithm

 SHA1 Mesasge Digest Algorithm

 OpenSSL Introduction and Installation

 OpenSSL Generating and Managing RSA Keys

 OpenSSL Managing Certificates

 OpenSSL Generating and Signing CSR

 OpenSSL Validating Certificate Path

 "keytool" and "keystore" from JDK

 "OpenSSL" Signing CSR Generated by "keytool"

 Migrating Keys from "keystore" to "OpenSSL" Key Files

Certificate X.509 Standard and DER/PEM Formats

X.509 Certificate Standard

 What Is DER (Distinguished Encoding Rules) Encoding?

 What Is PEM (Privacy Enhanced Mail) Encoding?

 Certificate in PEM Format

 "keytool" Exporting Certificates in DER and PEM

 "OpenSSL" Viewing Certificates in DER and PEM

 "OpenSSL" Generating Certificates in DER and PEM

 "keytool" Viewing Certificates in DER and PEM

 "keytool" Importing Certificates in DER and PEM

 Migrating Keys from "OpenSSL" Key Files to "keystore"

 Using Certificates in IE (Internet Explorer)

 Using Certificates in Firefox

 Using Certificates in Google Chrome

 Outdated Tutorials

 References

 Printable Copy - PDF Version

X.509 Certificate Standard - Updated in 2014, by Dr. Herong Yang