Menu Show

An X509 Certificate — All You Need to Know About X.509 Security

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (18 votes, average: 4.33)

What exactly is an X.509 certificate? Here’s the answer

In cryptography, X.509 is a standard format for public key certificates. A digital certificate that uses the SSL X.509 standard is regarded as an “X.509 certificate,” although you sometimes may see it referred to as an “X509 certificate.”

But what is an X509 certificate in SSL and what does it do?

What is an X509 Certificate?

In a nutshell, X.509 digital certificates include SSL/TLS, code signing, document signing and email signing certificates, etc.

X.509 certificates were first released in 1988 as a part of the International Telecommunications Union’s Telecommunication Standardization Sector (ITU-T) and the X.500 Directory Services Standard. In 1993, version 2 was made available, with two additional fields to support directory access control. The latest, version 3, was released in 1996 and defines the formatting used for certificate extensions.

X.509 certificates are used for two primary reasons:

  1. To verify the identity of a website, individual or an organization. In other words, they let users know that the person/organization really is who they say they are.
  2. To protect data against man-in-the-middle (MitM) attacks through the use of asymmetric encryption.

We’ll tell you more about that momentarily. But, first, let’s talk about what constitute X.509 certificates and the encryption they help to facilitate.

SSL Certificates

Save Up to 86% on SSL Certificates

Get SSL certificates that authenticate your identity and secure your site with prices that start as low as $7.02 per year!
Shop Now


So, What Is Asymmetric Encryption?

When it comes to types of encryption methods, there are mainly two: symmetric encryption and asymmetric encryption. While there are several notable differences between these encryption methods, the biggest is the number of cryptographic keys used.

In symmetric encryption, only one key is used. This key is used for encryption as well as decryption of the message. Asymmetric encryption, on the other hand, involves two cryptographic keys that are mathematically related to each other. One key, called a public key, encrypts data and the other, called a private key, decrypts it.

A public key, as the name implies, is publicly available. So, if you encrypt the data with the public key, no one — not even the person who encrypted it — will be able do decrypt the data. Only the person with the private key will be able to decrypt it. Such encryption is used in X.509 certificates.

What Do X509 Certificates Include?

Whether it’s an SSL certificate, a document signing certificate or a client authentication certificate; X.509 certificates consist of three main components — a key pair, a digital signature and information about identity of issuing party and the party it’s issued to. Let’s learn about them in a bit detail:

Key Pair

An X.509 certificate consists of two keys, namely a public key and a private key. This key pair, depending upon the application, allows you to sign documents using the private key so that the intended person can verify the signature using the public key related to it. In the likes of SSL/TLS certificates, this key pair allows the sender to encrypt data/messages with the public key so that only the owner can decrypt the cipher text.

Digital Signature

A digital signature is added by certificate authority (CA) to assure users that the certificate in use is genuine. In other words, digital signature provides the proof that the certificate you have been given is the exact certificate issued by a trusted CA to the website in question.

Identity Information

An X.509 certificate consists of information related to the party to which a certificate is issued and the identity that issued it (certificate authority). Standard information in an X509 certificate includes:

  • Version — The version of X.509 that applies to the certificate.
  • Serial number — Serial number assigned by certificate authority to distinguish one certificate from other certificates.
  • Algorithm information — The hashing algorithm used by the CA to sign the certificate (SHA-2 in almost all cases).
  • Issuer distinguished name — The name of the entity issuing the certificate (usually a certificate authority)
  • Validity period of the certificate — The period during which certificate is valid to use.
  • Subject distinguished name — The name of the identity the certificate is issued to (individual, organization, domain name, etc.)
  • Subject public key information — The public key of the certificate

X509 and Chain of Trust

X.509 certificates consist of a hierarchy of certificates that verify the validity of a certificate’s issuer. Let us make it simpler to understand. Basically, root certificates are the base certificates that contain the signature of certificate authorities. But it’s the SSL certificate that makes the browser aware of the legitimacy of the website. Now, as you can see, there’s a gap between a root certificate and SSL certificate. This gap is filled by intermediate certificates.

Together, they form a chain of certificates from the SSL server certificate and intermediate certificate to the root certificate. In this chain, each certificate is signed by the entity identified by the next certificate in the chain. Thus, it forms not only a chain of certificates but a chain of trust as well.

X.509 certificates are used worldwide in the following applications: