X.509 is an ITU-T (ITU Telecommunication Standardization Sector) standard for PKI (Public Key Infrastructure) in cryptography, which, amongst many other things, defines specific formats for PKC (Public Key Certificates) and the algorithm that verifies a given certificate path is valid under a give PKI (called the certification path validation algorithm).
X.509 began in association with the X.500 standard in 1988 (Version 1) and it assumed a hierarchical system of certification authorities for issuing of certificates, quite contrary to the then existing web trust models – such as PGP – where any one can sign thereby attesting to the validity of other’s private or public key certificates. In 1993, an enhanced version of X.509 – version 2 – was introduced with the addition of two more fields, support and directory access control. The X.509-version 3, added compatibility with other topologies such as meshes and bridges, and the option to use it in a peer-to-peer, OpenPGP-similar web of trust environment, even though it is scarcely used that way as of 2006.
These days the name X.509 broadly refers to the IETF’s PKI Certificate and CRL Profile of the X.509 version 3 certificate standards, as given in the RFC 3280 specifications.
In a X.509 system, the Certification Authority issues a certificate binding a public key to a given but unique name in the X.500 tradition, or to an alternate one such as a DNS entry or email address. The authenticity of a certificate and the certification authority in turn is dependent on the root certificate, which is integral to the X.509 certification chain model. Root certificates are implicitly trusted, and the best example for software programs coming with preinstalled root certificates being the common web browser’s itself.
X.509 system also includes the method for CRL – certificate revocation list – implementations (often neglected in most PKI systems).
A X.509 version 3 digital certificate has three main variables – the certificate, the certificate signature algorithm and the certificate signature. The certificate is described by attributes such as version, algorithm ID, serial number, issuer, subject, validity, subject public key info, extensions and several other optional ones like subject and issuer unique identifier. The subject public key info attribute is further detailed by the public key algorithm and subject public key, while validity attribute comes has further options for an upper and lower date limit, which eventually decides the life of the certificate.
Protocols Supporting X.509 Certificates
- Transport Layer Security (SSL/TLS)
- Secure Multipurpose Internet Mail Extensions (S/MIME)