PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
Certificate Data Fields and X.509 Standard
This section describes the structure and data fields of PKI certificates, which are specified in RFC 5280 based on the X.509 standard.
Before looking at examples of different certificate types, let's review the general data fields inside PKI certificates, which is specified in RFC 5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" at datatracker.ietf.org/doc/html/rfc5280.
Note that RFC 5280 specification is based on the X.509 v3 standard - "Recommendation ITU-T X.509: Public-key and attribute certificate frameworks" at https://www.itu.int/rec/T-REC-X.509-201910-I/en. This is why PKI certificates are also called X.509 certificates.
According to the X.509 v3 standard, data fields in a PKI certificate should be organized into the following structure:
1. Certificate Version Number Serial Number Signature Algorithm ID Issuer Name Validity Period Not Before Not After Subject Name Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (optional) Subject Unique Identifier (optional) Extensions (optional) ... 2. Certificate Signature Algorithm 3. Certificate Signature
Here is my understanding of each data fields specified in the X.509 standard:
1. Certificate, also called TBS (To Be Signed) Certificate - A container holding data fields to be digitally signed by the issuer.
1.1. Version Number - 0, 1, or 2, representing the version number 1, 2, or 3 of the X.509 standard. Today, most PKI applications accepts only version 3 certificates.
1.2. Serial Number - An integer to uniquely identify this certificate by the issuer.
1.3. Signature Algorithm ID - A text string to uniquely identify the signature algorithm and its parameters used by the issuer to sign this certificate. For example: "sha256WithRSAEncryption".
1.4. Issuer Name, also called Issuer DN (Distinguished Name) - A list of named attributes that identifies the entity who signed this certificate. For example: "C=US, O=Internet Security Research Group, CN=ISRG Root X1". Here are some commonly used attribute names:
CN - Common Name O - Organization OU - Organizational Unit L - Locality S - State C - Country
1.5. Validity Period - Contrains 2 timestamps that defines a period of time during which this certificate is valid.
1.6. Subject Name, also called Issuer DN (Distinguished Name) - A list of named attributes that identifies the entity who owns this certificate. For example: "C=US, ST=California, L=San Jose, O=PayPal, Inc., CN=www.paypal.com".
1.7. Subject Public Key Info - Contains 2 data fields, Public Key Algorithm and Subject Public Key that specify the public key and its algorithm associated with the subject. For example:
Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:dc:8f:8d:ad:df:5e:33:f8:de:de:9a:2d:72:c1: df:21:ce:4c:71:c8:3a:10:07:63:a9:89:0f:c4:af: 97:5d:85:9c:ba:ba:18:e1:7e:2f:45:5a:30:d0:e6: ... Exponent: 65537 (0x10001)
1.8. Issuer Unique Identifier (optional) - A binary string that can be used to uniquely identify the issuer of this certificate, in the event the Issuer Name is not unique.
1.9. Subject Unique Identifier (optional) - A binary string that can be used to uniquely identify the subject of this certificate, in the event the Subject Name is not unique.
1.10. Extensions, also called X.509 v3 Extensions, (optional) - A container holding data fields specified in X.509 standard to provide additional information on the subject or the issuer of this certificate. Here are some commonly used extension fields:
2. Certificate Signature Algorithm - A text string to uniquely identify the signature algorithm and its parameters used by the issuer to sign this certificate. It provides the same value as the Signature Algorithm ID field in the TBS Certificate container.
3. Certificate Signature - A binary string represent the actual digital signature of this certificate.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
►Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File