X.509: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(12 intermediate revisions by the same user not shown)
Line 2: Line 2:


* http://en.wikipedia.org/wiki/X.509
* http://en.wikipedia.org/wiki/X.509
* Internet X.509 Public Key Infrastructure Certificate and CRL Profile https://www.ietf.org/rfc/rfc2459.txt


=Internal=
=Internal=
Line 16: Line 17:


=Certificate Structure=
=Certificate Structure=
<font color=darkgray>More details in section "Examining Certificates" of OpenSSL Cookbook.</font>
This is a [[Public_Key_Security#Self-Signed_Certificate|self-signed certificate]]:


  Certificate:
  Certificate:
Line 36: Line 41:
                 Exponent: 65537 (0x10001)
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
         X509v3 extensions:
             X509v3 Subject Key Identifier:
             [[#X509_Subject_Key_Identifier|X509v3 Subject Key Identifier]]:
                 B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
                 B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
             X509v3 Authority Key Identifier:
             [[#X509_Authority_Key_Identifier|X509v3 Authority Key Identifier]]:
                 keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
                 keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
   
   
Line 62: Line 67:


This field marks the certificate as belonging or not to a [[Public_Key_Security#Certificate_Authority_.28CA.29|CA]]. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.
This field marks the certificate as belonging or not to a [[Public_Key_Security#Certificate_Authority_.28CA.29|CA]]. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.
===X509 Subject Key Identifier===
Establishes unique subject key identifier.
===X509 Authority Key Identifier===
Establishes unique authority key identifier.
===X509 Subject Alternative Name===
Used in the case of a [[Public_Key_Security#Certificates_Valid_for_Multiple_Hostnames|certificate valid for multiple hostnames]].
=Operations=

Latest revision as of 01:30, 14 May 2022

External

Internal

Overview

X.509 is a ITU-T standard for a public key infrastructure (PKI).

X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

X.509 is a common certificate format that can be managed by JDK's keytool.

Certificate Structure

More details in section "Examining Certificates" of OpenSSL Cookbook.

This is a self-signed certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:f4:0a:47:fa:79:78:29
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Validity
            Not Before: Apr  8 08:49:35 2018 GMT
            Not After : Apr  8 08:49:35 2019 GMT
        Subject: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:ab:8f:f6:2f:f1:4b:63:c6:ed:ea:8f:25:30:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
            X509v3 Authority Key Identifier:
                keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3d:8f:9f:3b:8a:9a:39:36:d2:13:cb:85:de:d0:92:6e:36:1f:
         [...]

Issuer

Validity - Not Before

Validity - Not After

Subject

X509 extensions

X509 Basic Constraints

CA

This field marks the certificate as belonging or not to a CA. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.

X509 Subject Key Identifier

Establishes unique subject key identifier.

X509 Authority Key Identifier

Establishes unique authority key identifier.

X509 Subject Alternative Name

Used in the case of a certificate valid for multiple hostnames.

Operations