X.509 Certificate

Certificate Overview

The X.509 standard specifies what information a certificate can contain and describes the method (data format) for recording information ). In addition to signatures, all X.509 certificates also contain the following data: Version Identifies the X.509 standard version used for the certificate, which affects the information that can be specified in the certificate. So far, three versions have been defined. Serial number The entity that issues the certificate has the responsibility to specify the serial number of the certificate to distinguish it from other certificates issued by the entity. This information is widely used. For example, if a certificate is revoked, its serial number is placed in the Certificate Revocation List (CRL. SignatureAlgorithmIdentifier The algorithm used to identify the CA certificate. Issuer name The X.500 name of the certificate entity. It is usually a ca. Using this Certificate means you trust the entity that signs the certificate (note: in some cases (such as the root or top-level CA certificate), the issuer will sign the certificate ). Validity Period Each certificate is valid only for a limited period of time. The validity period is represented by the start date and time, and the end date and time. It can be as short as a few seconds or as long as a century. The selected validity period depends on many factors, such as the frequency of use of the private key used for signing the certificate and the money you wish to pay for the certificate. It is the estimated time when the object can depend on the public key value without endangering the relevant private key. Subject name The certificate can recognize the entity name of its public key. This name uses the X.500 standard, so it should be unique on the Internet. It is the feature name of an object (DN), for example, Cn = Java Duke, ou = Java software division, O = Sun Microsystems Inc, C = US (these refer to the general name, organization unit, organization, and country of the subject ). Subject Public Key Information This is the public key of the named object. It also includes the algorithm identifier of the public key and password system to which the key belongs and all related key parameters. Other problems X.509 version 1 has been commercially available since 1988 and has been widely used and is the most commonly used version. Version X.509 2 introduces the concept of unique identifiers of the subject and issuer to solve the problem that the subject and/or issuer names may be reused after a period of time. Most certificate monitoring documents strongly recommend that you do not repeat the subject or issuer name, and that the certificate do not use a unique identifier. Version 2 certificates are not widely used. Version X.509 3 is the latest version (January 1, 1996 ). It supports the concept of extension, so anyone can define the extension and include it in the certificate. Currently, common extensions include: keyusage (key-only for special purposes, such as "sign-only") and alternativenames (allow other identifiers to be associated with the public key, for example, DNS name, email address, and IP address ). An extension can be marked as "critical" to indicate that the extension should be selected and enforced or used. For example, if a certificate marks the keyusage extension as "critical" and is set to "keycertsign", the certificate will be rejected when it appears during SSL communication, because this certificate Extension indicates that the relevant private key should be used only for signing the certificate, but not for SSL. All data in the certificate is encoded using two standards named ASN.1/der. Abstract Syntax Notation 1 (Abstract Syntax Notation 1) describes the data. A Deterministic encoding rule (DER) describes the only way to store and transmit data. They both call this combination "powerful and flexible", and some call it "ambiguous and clumsy ".