External

• http://en.wikipedia.org/wiki/X.509
• Internet X.509 Public Key Infrastructure Certificate and CRL Profile https://www.ietf.org/rfc/rfc2459.txt

Internal

• Public Key Security

Overview

X.509 is a ITU-T standard for a public key infrastructure (PKI).

X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

X.509 is a common certificate format that can be managed by JDK's keytool.

Certificate Structure

More details in section "Examining Certificates" of OpenSSL Cookbook.

This is a self-signed certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:f4:0a:47:fa:79:78:29
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Validity
            Not Before: Apr  8 08:49:35 2018 GMT
            Not After : Apr  8 08:49:35 2019 GMT
        Subject: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:ab:8f:f6:2f:f1:4b:63:c6:ed:ea:8f:25:30:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
            X509v3 Authority Key Identifier:
                keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3d:8f:9f:3b:8a:9a:39:36:d2:13:cb:85:de:d0:92:6e:36:1f:
         [...]

Issuer

Validity - Not Before

Validity - Not After

Subject

X509 extensions

X509 Basic Constraints

CA

This field marks the certificate as belonging or not to a CA. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.

X509 Subject Key Identifier

Establishes unique subject key identifier.

X509 Authority Key Identifier

Establishes unique authority key identifier.

X509 Subject Alternative Name

Used in the case of a certificate valid for multiple hostnames.

Operations