What is an X.509 certificate? (2024)

Alexander S. Gillis,Technical Writer and Editor
Sharon Shea,Executive Editor

What is an X.509 certificate?

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

A public key is a large numerical value used to encrypt data or check the legitimacy of a digital signature. A PKI, moreover, is the underlying framework that enables entities like users and servers to securely exchange information using digital certificates.

X.509 certificate fields

An X.509 certificate contains information about the identity to which the certificate is issued and the identity that issued it. Standard information in an X.509 certificate includes the following:

Version. Which X.509 version applies to the certificate, indicating what data the certificate must include.
Serial number. The CA creating the certificate must assign it a serial number that distinguishes the CA certificate from other certificates.
Algorithm information. The signature algorithm the issuer uses to sign the certificate.
Issuer distinguished name. The name of the entity issuing the certificate -- usually, the CA.
Validity period of the certificate. The start and end date, as well as the time the certificate is valid and can be trusted.
Subject distinguished name. The name to which the certificate is issued.
Subject public key information. The public key associated with the identity.
Extensions (optional). Extensions have their own unique IDs, expressed as a set of values called an object identifier. An extension can be rejected if it is not recognized or if the extension has information that can't be processed.

Applications of X.509 certificates

Common applications of X.509 certificates include the following:

Digital identities. A key use of X.509 certificates can be to authenticate the digital identities of devices, people, data and applications.
TLS/SSL and web browser security. PKI and X.509 are the basis for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Web browsers read the X.509 certificate of a webpage to verify its TLS/SSL status.
Digital signatures and document signing. X.509 certificates can authenticate the identity of a digitally signed document, specifically authenticating both the signature and document.
Email certificates. Secure email standards -- for example, Secure/Multipurpose Internet Mail Extensions, or S/MIME -- use X.509 certificates.
Secure Shell keys. Secure Shell (SSH) keys are a form of X.509 certificate. They provide secure access credentials used in the SSH protocol.
Code signing. Code signing uses certificates to authenticate code so end users can verify that code has not been altered by a third party.

Benefits of X.509 certificates

Potential benefits that come with X.509 certificates include the following:

Wide area of use. X.509 certificates are a part of web browser security, web server security, online document signing, SSH keys and email security.
Level of trust. Certificates help safeguard against potentially malicious network impersonators.
How signed certificates are issued. Certificates are signed by a publicly trusted issuer, such as a CA, or self-signed.

History of X.509 certificates

The first X.509 certificates were issued in 1988 as part of the ITU-T and the X.500 directory services standard. The current version, version 9, was defined in October 2019.

As more versions came out, more certificate fields were added or refined. For example, in 1993, version 2 added two fields to support directory access control, as well as subject and issuer unique identifiers. The X.509 version 3 certificate was released in 1996 and defines the formatting used for certificate extensions. It also was used by the Internet Engineering Task Force in the development of its own X.509 Public Key Infrastructure Certificate and Certificate Revocation List, or CRL, Profile standard.

Learn about digital certificates and how an automated version of certificate management can help retain IT talent.

This was last updated in June 2022

Continue Reading About X.509 certificate

4 zero-trust IoT steps to scale security

How to install root CA certificates on iPhones and iPads

What does a Windows 10 digital certificate do?

Key native features for Windows 10 security and maintenance

Apple's confidential iBoot source code leaked online

Related Terms

What is identity threat detection and response (ITDR)?: Identity threat detection and response (ITDR) is a collection of tools and best practices aimed at defending against cyberattacks...Seecompletedefinition
What is LDAP (Lightweight Directory Access Protocol)?: LDAP (Lightweight Directory Access Protocol) is a software protocol used for locating data about organizations, individuals and ...Seecompletedefinition
What is SSH (Secure Shell) and How Does It Work?: SSH (Secure Shell or Secure Socket Shell) is a network protocol that gives users -- particularly systems administrators -- a ...Seecompletedefinition

Dig Deeper on Identity and access management

How do electronic signatures vs. digital signatures differ?By: GeoffreyBock
digital signatureBy: CameronHashemi-Pour
How do digital signatures work?By: DavidWeldon
e-signature (electronic signature)By: RahulAwati

FAQs

What does an x509 certificate do? ›

The certificate is typically used to manage identity and security in computer networking and over the internet. For the internet, it is used in numerous protocols to ensure a malicious website doesn't fool a web browser. The X. 509 certificate is also used to secure email, device communications and digital signatures.

Read On ›

What is the difference between SSL certificate and x509 certificate? ›

509 format and rely on CAs for validation. SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates are used for securing web traffic and authenticating websites. SSL/TLS certificates are also based on X. 509, but they have specific extensions and requirements for web browsers and servers.

Discover More Details ›

How do I identify an x509 certificate? ›

You can identify a certificate in several ways: by the hash of the certificate, by the issuer and serial number, or by the subject key identifier (SKI). The SKI provides a unique identification for the certificate's subject public key and is often used when working with XML digital signing.

What is the difference between an x509 certificate and a public key? ›

The owner of the key pair makes the public key available to anyone, but keeps the private key secret. A certificate verifies that an entity is the owner of a particular public key. Certificates that follow the X. 509 standard contain a data section and a signature section.

See Details ›

What are the benefits of X509? ›

One main benefit of X. 509 certificates is their ability to securely link cryptographic key pairs with identities. This enables secure, encrypted communications, ensuring that data remains private and unchanged during transmission. This is vital for protecting sensitive information in businesses and IoT security.

Find Out More ›

What is the difference between SSH and X509 certificate? ›

X. 509 certificates facilitate identity verification in browser-to-server interactions, whereas SSH certificates are used for authenticating identities in communications between a shell (terminal) and Linux servers.

Tell Me More ›

How do I get my x509 certificate? ›

In order to obtain a X. 509 certificate, you need to contact a Certificate Authority (CA) that is authorized by the Internet Corporation for Assigned Names and Numbers (ICANN). The CA will help validate your identity and encrypt the data that is being sent over the networks.

Show Me More ›

Do x509 certificates expire? ›

x509 certificates expire after a period of time, at which point you will need to input an updated certificate into your SSO configuration settings to maintain login function for users with a targeted domain. Procore does not provide notification of expiring x509 certificates.

Explore More ›

Does an x509 certificate contain a private key? ›

X. 509 uses the widely accepted international X. 509 public key infrastructure standard to verify that a public key belongs to the user, computer or service identify contained within the certificate. When a certificate is generated, a private key is also produced, but this private key is not stored inside the x.

How to generate a X509 certificate? ›

Procedure

Go to the OpenSSL library in your command-line tool. For Mac and Linux users, call OpenSSL directly in the command tool under the default path. ...
Use the openssl command to create an X.509 certificate. ...
Enter the following information when prompted:

Show Me More ›

Where are X509 certificates stored? ›

Certificates stores are kept in the system registry under the keys HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates and HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates. Each user has a MY certificate store which contains his/her personal certificates.

Read The Full Story ›

How do I get an X509 certificate from a website? ›

Google Chrome

In the Developer tools, click the Security tab.
In the Security tab, click the View Certificate button.
In the Certificate window, click the Details tab.
Click the Copy to File... ...
Click the Next button in the wizard.
Select the Base-64 encoded X. ...
Chose a path and filename to export the file and click Next.

More items...

See Details ›

What are the three contents of an X509 certificate? ›

No matter its intended application(s), each X. 509 certificate includes a public key, digital signature, and information about both the identity associated with the certificate and its issuing certificate authority (CA): The public key is part of a key pair that also includes a private key.

Get More Info Here ›

Who signs X509 certificates? ›

These are generated for submission to certificate-authorities (CA). It includes key details of the requested certificate such as Common Name (/CN), subject, organization, state, country, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned.

What is a distinguished name for an X509 certificate? ›

A distinguished name for an X. 509 certificate consists of a sequence of relative distinguished names (RDN) where each RDN is expressed as an attribute type/value pair. At least one attribute must be specified. The RDNs are written to the certificate name in the order they are listed.

What is X509 certificate used for in SAML? ›

SAML signing certificates are X. 509 certificates used in SAML responses to allow the Service Provider (SP) to verify the authenticity of a SAML response. Some Identity Providers (IdP's) may require or provide the option to use a SAML signing certificate for the SAML request as well.

View Details ›

What is the purpose of a self-signed certificate? ›

Definitions: A public-key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self-signed certificate protects the integrity of the information within the certificate but does not guarantee the authenticity of that information.

What is the difference between X509 and private key? ›

Only the public key resides in the x. 509 certificate. – The private key resides in the repository of the end-entity that is represented with the certificate. – The private key is used for signing certificates and decrypt data that has been encrypted with the public key.

Learn More ›

How are X509 certificates validated? ›

Each X. 509 certificate is signed with the private key of the issuer of the certificate. The signature can be checked using the associated public key. If the signature verification fails, the document was a) never signed or b) the document has been modified since the signature.

Discover More Details ›