Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
X.509
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Structure of a certificate=== The structure foreseen by the standards is expressed in a formal language, [[Abstract Syntax Notation One]] (ASN.1). The structure of an X.509 v3 [[digital certificate]] is as follows: * Certificate **Version Number **Serial Number **Signature Algorithm ID **Issuer Name **Validity period ***Not Before ***Not After **Subject name **Subject Public Key Info ***Public Key Algorithm ***Subject Public Key **Issuer Unique Identifier (optional) **Subject Unique Identifier (optional) **Extensions (optional) *** ... *Certificate Signature Algorithm *Certificate Signature The Extensions field, if present, is a sequence of one or more certificate extensions.{{Ref RFC|5280|rsection=4.1.2.9: Extensions}} Each extension has its own unique ID, expressed as [[object_identifier|object identifier (OID)]], which is a set of values, together with either a critical or non-critical indication. A certificate-using system must reject the certificate if it encounters a critical extension that it does not recognize, or a critical extension that contains information that it cannot process. A non-critical extension may be ignored if it is not recognized, but must be processed if it is recognized.{{Ref RFC|5280|rsection=4.2: Certificate Extensions}} The structure of version 1 is given in {{IETF RFC|1422}}. The inner format of issuer and subject unique identifiers specified in [https://www.itu.int/rec/T-REC-X.520 ''X.520 The Directory: Selected attribute types''] recommendation. ITU-T introduced issuer and subject unique identifiers in version 2 to permit the reuse of issuer or subject name after some time. An example of reuse will be when a [[certificate authority|CA]] goes bankrupt and its name is deleted from the country's public list. After some time another CA with the same name may register itself, even though it is unrelated to the first one. However, [[IETF]] recommends that no issuer and subject names be reused. Therefore, version 2 is not widely deployed in the Internet.{{citation needed|date=January 2012}} Extensions were introduced in version 3. A CA can use extensions to issue a certificate only for a specific purpose (e.g. only for [[code signing|signing digital objects]]). In all versions, the serial number must be unique for each certificate issued by a specific CA (as mentioned in {{IETF RFC|5280}}).
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)