X.509: Difference between revisions
(6 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
* http://en.wikipedia.org/wiki/X.509 | * http://en.wikipedia.org/wiki/X.509 | ||
* Internet X.509 Public Key Infrastructure Certificate and CRL Profile https://www.ietf.org/rfc/rfc2459.txt | |||
=Internal= | =Internal= | ||
Line 42: | Line 43: | ||
[[#X509_Subject_Key_Identifier|X509v3 Subject Key Identifier]]: | [[#X509_Subject_Key_Identifier|X509v3 Subject Key Identifier]]: | ||
B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D | B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D | ||
X509v3 Authority Key Identifier: | [[#X509_Authority_Key_Identifier|X509v3 Authority Key Identifier]]: | ||
keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D | keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D | ||
Line 68: | Line 69: | ||
===X509 Subject Key Identifier=== | ===X509 Subject Key Identifier=== | ||
Establishes unique subject key identifier. | |||
===X509 Authority Key Identifier=== | ===X509 Authority Key Identifier=== | ||
Establishes unique authority key identifier. | |||
===X509 Subject Alternative Name=== | |||
Used in the case of a [[Public_Key_Security#Certificates_Valid_for_Multiple_Hostnames|certificate valid for multiple hostnames]]. | |||
=Operations= |
Latest revision as of 01:30, 14 May 2022
External
- http://en.wikipedia.org/wiki/X.509
- Internet X.509 Public Key Infrastructure Certificate and CRL Profile https://www.ietf.org/rfc/rfc2459.txt
Internal
Overview
X.509 is a ITU-T standard for a public key infrastructure (PKI).
X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
X.509 is a common certificate format that can be managed by JDK's keytool.
Certificate Structure
More details in section "Examining Certificates" of OpenSSL Cookbook.
This is a self-signed certificate:
Certificate: Data: Version: 3 (0x2) Serial Number: b9:f4:0a:47:fa:79:78:29 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com Validity Not Before: Apr 8 08:49:35 2018 GMT Not After : Apr 8 08:49:35 2019 GMT Subject: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ce:ab:8f:f6:2f:f1:4b:63:c6:ed:ea:8f:25:30: [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D X509v3 Authority Key Identifier: keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3d:8f:9f:3b:8a:9a:39:36:d2:13:cb:85:de:d0:92:6e:36:1f: [...]
Issuer
Validity - Not Before
Validity - Not After
Subject
X509 extensions
X509 Basic Constraints
CA
This field marks the certificate as belonging or not to a CA. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.
X509 Subject Key Identifier
Establishes unique subject key identifier.
X509 Authority Key Identifier
Establishes unique authority key identifier.
X509 Subject Alternative Name
Used in the case of a certificate valid for multiple hostnames.