X.509: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=External= * http://en.wikipedia.org/wiki/X.509 =Overview= X.509 is a ITU-T standard for a ''public key infrastructure'' (PKI). X.509 specifies, amongst other things, sta...")
 
 
(27 intermediate revisions by the same user not shown)
Line 2: Line 2:


* http://en.wikipedia.org/wiki/X.509
* http://en.wikipedia.org/wiki/X.509
* Internet X.509 Public Key Infrastructure Certificate and CRL Profile https://www.ietf.org/rfc/rfc2459.txt
=Internal=
* [[Public_Key_Security#X.509|Public Key Security]]


=Overview=
=Overview=
Line 10: Line 15:


X.509 is a common certificate format that can be managed by JDK's [[keytool]].
X.509 is a common certificate format that can be managed by JDK's [[keytool]].
=Certificate Structure=
<font color=darkgray>More details in section "Examining Certificates" of OpenSSL Cookbook.</font>
This is a [[Public_Key_Security#Self-Signed_Certificate|self-signed certificate]]:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:f4:0a:47:fa:79:78:29
    Signature Algorithm: sha256WithRSAEncryption
        [[#Issuer|Issuer]]: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Validity
            [[#Validity_-_Not_Before|Not Before]]: Apr  8 08:49:35 2018 GMT
            [[#Validity_-_Not_After|Not After]] : Apr  8 08:49:35 2019 GMT
        [[#Subject|Subject]]: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:ab:8f:f6:2f:f1:4b:63:c6:ed:ea:8f:25:30:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            [[#X509_Subject_Key_Identifier|X509v3 Subject Key Identifier]]:
                B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
            [[#X509_Authority_Key_Identifier|X509v3 Authority Key Identifier]]:
                keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
            [[#X509_Basic_Constraints|X509v3 Basic Constraints]]:
                [[#CA|CA]]:TRUE
    Signature Algorithm: sha256WithRSAEncryption
          3d:8f:9f:3b:8a:9a:39:36:d2:13:cb:85:de:d0:92:6e:36:1f:
          [...]
==Issuer==
==Validity - Not Before==
==Validity - Not After==
==Subject==
==X509 extensions==
===X509 Basic Constraints===
====CA====
This field marks the certificate as belonging or not to a [[Public_Key_Security#Certificate_Authority_.28CA.29|CA]]. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.
===X509 Subject Key Identifier===
Establishes unique subject key identifier.
===X509 Authority Key Identifier===
Establishes unique authority key identifier.
===X509 Subject Alternative Name===
Used in the case of a [[Public_Key_Security#Certificates_Valid_for_Multiple_Hostnames|certificate valid for multiple hostnames]].
=Operations=

Latest revision as of 01:30, 14 May 2022

External

Internal

Overview

X.509 is a ITU-T standard for a public key infrastructure (PKI).

X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

X.509 is a common certificate format that can be managed by JDK's keytool.

Certificate Structure

More details in section "Examining Certificates" of OpenSSL Cookbook.

This is a self-signed certificate: 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:f4:0a:47:fa:79:78:29
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Validity
            Not Before: Apr  8 08:49:35 2018 GMT
            Not After : Apr  8 08:49:35 2019 GMT
        Subject: C=US, L=Menlo Park, O=Nova Ordis LLC, CN=test.novaordis.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:ab:8f:f6:2f:f1:4b:63:c6:ed:ea:8f:25:30:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D
            X509v3 Authority Key Identifier:
                keyid:B2:DA:94:80:CE:E8:61:DA:CA:15:85:97:A8:D8:A1:E4:37:A7:5A:9D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3d:8f:9f:3b:8a:9a:39:36:d2:13:cb:85:de:d0:92:6e:36:1f:
         [...]

Issuer

Validity - Not Before

Validity - Not After

Subject

X509 extensions

X509 Basic Constraints

CA

This field marks the certificate as belonging or not to a CA. A certificate that belongs to a CA gives it the ability to sign other certificate. Non-CA certificates will have this section omitted, or will have a "CA" value of FALSE.

X509 Subject Key Identifier

Establishes unique subject key identifier.

X509 Authority Key Identifier

Establishes unique authority key identifier.

X509 Subject Alternative Name

Used in the case of a certificate valid for multiple hostnames.

Operations

Retrieved from "https://kb.novaordis.com/index.php?title=X.509&oldid=93188"