Extended Slovník

X.509 Certificate

An X.509 certificate is a digital document that uses the X.509 standard to bind a public key to an identity, such as an individual, organization, or device. It is a cornerstone of Public Key Infrastructure (PKI) and essential for secure communication and authentication on the internet.

An X.509 certificate is a widely adopted international standard for public key certificates — digital documents that securely associate a public key with the identity of its owner. Governed by the X.509 specification developed by the International Telecommunication Union (ITU), these certificates are central to Public Key Infrastructure (PKI) systems. They contain crucial information, including the public key itself, the identity of the certificate holder (e.g., common name, organization), the issuing Certificate Authority (CA), a validity period, and a digital signature from the CA to verify its authenticity.

What is an X.509 certificate?

An X.509 certificate is a standardized digital document that binds a public key to a specific identity, such as an individual, organization, or device. The certificate format is defined by the ITU-T Recommendation X.509 and further profiled for internet use in RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile). Each certificate includes a set of structured fields:

  • Subject: The entity the certificate identifies (e.g., a domain name or organization).
  • Issuer: The Certificate Authority (CA) that issued and signed the certificate.
  • Public Key: The cryptographic key associated with the subject.
  • Validity Period: The start and expiration dates during which the certificate is considered valid.
  • Serial Number: A unique identifier assigned by the CA.
  • Digital Signature: The CA's signature that ensures the certificate has not been tampered with.
  • Extensions: Additional fields such as key usage, subject alternative names, and certificate policies.

Why are X.509 certificates important for security?

X.509 certificates are fundamental to establishing trust in digital communications. They serve as the foundation for verifying identities across the internet and within enterprise networks. Without X.509 certificates:

  • Users would have no way to confirm that a website is genuinely operated by the entity it claims to represent.
  • Encrypted communications could be intercepted through man-in-the-middle attacks.
  • Software authenticity could not be verified through code signing.
  • Email confidentiality and integrity would be impossible to guarantee.

Organizations such as the National Institute of Standards and Technology (NIST), through publications like NIST Special Publication 800-32, outline best practices for public key technology and the role X.509 certificates play in securing applications and infrastructure.

How does an X.509 certificate work?

The X.509 certificate operates within a chain of trust established by a PKI hierarchy:

  1. Certificate Request: An entity generates a key pair (public and private key) and submits a Certificate Signing Request (CSR) to a Certificate Authority (CA).
  2. Validation: The CA verifies the identity of the requester based on established policies (domain validation, organization validation, or extended validation).
  3. Issuance: Upon successful validation, the CA issues an X.509 certificate, digitally signing it with the CA's own private key.
  4. Verification: When a client (e.g., a web browser) encounters the certificate, it checks the CA's digital signature against the CA's public key, which is already trusted through a root certificate store. Programs like the Mozilla CA Certificate Program maintain lists of trusted root CAs.
  5. Revocation Checking: The client may also verify that the certificate has not been revoked by consulting a Certificate Revocation List (CRL) or using the Online Certificate Status Protocol (OCSP).

Practical examples

  • Website Security (HTTPS/SSL/TLS): When you visit a secure website (https://), the server presents an X.509 certificate issued by a trusted CA to your browser. This certificate verifies the website's identity and enables encrypted communication between the browser and the server.
  • Email Security (S/MIME): X.509 certificates are used in S/MIME to digitally sign and encrypt emails, ensuring message integrity, sender authenticity, and confidentiality of communications.
  • Code Signing: Software developers use X.509 certificates to sign applications and updates, allowing users and operating systems to verify that the code has not been altered and originates from a trusted source.

When was the X.509 standard created?

The X.509 standard was first introduced in 1988 as part of the ITU-T X.500 directory services recommendations. Since then, it has undergone several revisions — notably version 2 in 1993 and version 3 in 1996 — to accommodate new requirements such as certificate extensions. Version 3 (v3) is the current version in widespread use today and is profiled for internet applications by the IETF in RFC 5280.

Which protocol uses X.509 certificates?

X.509 certificates are used across a wide range of protocols and security frameworks:

  • TLS/SSL: The most prominent use case, securing HTTPS web traffic and other encrypted connections.
  • S/MIME: For secure email communication.
  • IPsec: For authenticating endpoints in Virtual Private Networks (VPNs).
  • EAP-TLS: For network access authentication in enterprise Wi-Fi and wired networks.
  • LDAP over TLS: For securing directory service communications.
  • Code Signing Protocols: Used by operating systems and application stores to validate software integrity.

The versatility of X.509 certificates across these protocols makes them one of the most critical components of modern cybersecurity infrastructure, as documented extensively by Microsoft, NIST, and other major technology organizations.

← Back to Glossary