Understanding X.509 Certificate Fields

Q: Understanding X.509 Certificate Fields

## X.509 Certificate Structure The X.509 standard (defined in RFC 5280) specifies the format for public key certificates used in TLS/SSL, code signing, email encryption, and more. Every certificate contains a fixed set of fields organized in an ASN.1 structure. ### Core Fields Certificate: Data: Version: 3 (0x2) Serial Number: 04:e3:b1:72:26:34:23:32:dc:f4:05:28:51:2a:ec:9c:6a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R

Explore all the fields in an X.509 certificate: subject, issuer, serial number, validity, public key, and extensions. Understand what each field means and how it is used.

Certificate Fields

Detailed Explanation

X.509 Certificate Structure

The X.509 standard (defined in RFC 5280) specifies the format for public key certificates used in TLS/SSL, code signing, email encryption, and more. Every certificate contains a fixed set of fields organized in an ASN.1 structure.

Core Fields

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 04:e3:b1:72:26:34:23:32:dc:f4:05:28:51:2a:ec:9c:6a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Jan  1 00:00:00 2024 GMT
            Not After : Apr  1 00:00:00 2024 GMT
        Subject: CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public-Key: (2048 bit)

Field-by-Field Breakdown

Version — almost always Version 3 (value 0x2). Version 3 introduced extensions, which modern certificates require.

Serial Number — a unique number assigned by the CA. No two certificates from the same CA should share a serial number. This field is critical for certificate revocation (CRL and OCSP).

Signature Algorithm — identifies the algorithm the CA used to sign the certificate. Common values: sha256WithRSAEncryption, ecdsa-with-SHA256, sha384WithRSAEncryption.

Issuer — the Distinguished Name (DN) of the CA that issued and signed the certificate. Contains components like Country (C), Organization (O), and Common Name (CN).

Validity — the Not Before and Not After timestamps defining the certificate's valid period.

Subject — the Distinguished Name of the certificate holder. For domain certificates, this typically contains just the Common Name (CN) with the domain name.

Subject Public Key Info — the public key embedded in the certificate, including the algorithm (RSA, ECDSA, Ed25519) and key size.

X.509 v3 Extensions

Extensions add critical metadata:

Subject Alternative Name (SAN) — additional domain names and IP addresses the certificate covers
Key Usage — what the key can be used for (digital signature, key encipherment)
Extended Key Usage — specific purposes like TLS server or client authentication
Basic Constraints — whether this is a CA certificate or end-entity certificate
Authority Key Identifier — identifies the issuer's public key
CRL Distribution Points — where to check for revocation
Authority Information Access — OCSP responder URL and CA issuer certificate URL

Use Case

Examine X.509 certificate fields when debugging TLS connection errors, verifying a certificate matches your domain, or auditing the security properties of certificates in your infrastructure.

Try It — SSL Certificate Decoder

Open full tool →