Certificate Data Fields and X.509 Standard

This section describes the structure and data fields of PKI certificates, which are specified in RFC 5280 based on the X.509 standard.

Before looking at examples of different certificate types, let's review the general data fields inside PKI certificates, which is specified in RFC 5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" at datatracker.ietf.org/doc/html/rfc5280.

Note that RFC 5280 specification is based on the X.509 v3 standard - "Recommendation ITU-T X.509: Public-key and attribute certificate frameworks" at https://www.itu.int/rec/T-REC-X.509-201910-I/en. This is why PKI certificates are also called X.509 certificates.

According to the X.509 v3 standard, data fields in a PKI certificate should be organized into the following structure:

1. Certificate
    Version Number
    Serial Number
    Signature Algorithm ID
    Issuer Name
    Validity Period
        Not Before
        Not After
    Subject Name
    Subject Public Key Info
        Public Key Algorithm
        Subject Public Key
    Issuer Unique Identifier (optional)
    Subject Unique Identifier (optional)
    Extensions (optional)
        ...
2. Certificate Signature Algorithm
3. Certificate Signature

Here is my understanding of each data fields specified in the X.509 standard:

1. Certificate, also called TBS (To Be Signed) Certificate - A container holding data fields to be digitally signed by the issuer.

1.1. Version Number - 0, 1, or 2, representing the version number 1, 2, or 3 of the X.509 standard. Today, most PKI applications accepts only version 3 certificates.

1.2. Serial Number - An integer to uniquely identify this certificate by the issuer.

1.3. Signature Algorithm ID - A text string to uniquely identify the signature algorithm and its parameters used by the issuer to sign this certificate. For example: "sha256WithRSAEncryption".

1.4. Issuer Name, also called Issuer DN (Distinguished Name) - A list of named attributes that identifies the entity who signed this certificate. For example: "C=US, O=Internet Security Research Group, CN=ISRG Root X1". Here are some commonly used attribute names:

CN - Common Name
O - Organization
OU - Organizational Unit
L - Locality
S - State
C - Country

1.5. Validity Period - Contrains 2 timestamps that defines a period of time during which this certificate is valid.

1.6. Subject Name, also called Issuer DN (Distinguished Name) - A list of named attributes that identifies the entity who owns this certificate. For example: "C=US, ST=California, L=San Jose, O=PayPal, Inc., CN=www.paypal.com".

1.7. Subject Public Key Info - Contains 2 data fields, Public Key Algorithm and Subject Public Key that specify the public key and its algorithm associated with the subject. For example:

Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
        Modulus (2048 bit):
            00:dc:8f:8d:ad:df:5e:33:f8:de:de:9a:2d:72:c1:
            df:21:ce:4c:71:c8:3a:10:07:63:a9:89:0f:c4:af:
            97:5d:85:9c:ba:ba:18:e1:7e:2f:45:5a:30:d0:e6:
            ...
        Exponent: 65537 (0x10001)

1.8. Issuer Unique Identifier (optional) - A binary string that can be used to uniquely identify the issuer of this certificate, in the event the Issuer Name is not unique.

1.9. Subject Unique Identifier (optional) - A binary string that can be used to uniquely identify the subject of this certificate, in the event the Subject Name is not unique.

1.10. Extensions, also called X.509 v3 Extensions, (optional) - A container holding data fields specified in X.509 standard to provide additional information on the subject or the issuer of this certificate. Here are some commonly used extension fields:

2. Certificate Signature Algorithm - A text string to uniquely identify the signature algorithm and its parameters used by the issuer to sign this certificate. It provides the same value as the Signature Algorithm ID field in the TBS Certificate container.

3. Certificate Signature - A binary string represent the actual digital signature of this certificate.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB