X.509 certificates are digital certificates based on the International Telecommunications Union (ITU) standard - X.509. X.509 certificates are used to verify the identity and authenticity of digital interactions. They are the certificates that are utilized in the public key infrastructure (PKI) and internet protocols like SSL and TLS.
The ITU is a United Nations specialized agency for telecommunications, a subset of information and communication technologies (ICTs). X.509 is an ITU standard that outlines how public key certificates should work, the format and semantics that they should follow, encoding algorithms they should use, and more. The standard introduces the concept of asymmetric cryptography and defines entities such as certificate authorities (CAs), certificate revocation lists (CRLs), trust anchors, and trust brokers.
At their core, X.509 certificates function like passports for digital communication, verifying the identity of the holder and securing the passage of digital communications from one point to the other.
There are two main parts to an X.509 certificate: the certificate fields, which contain critical information about the certificate holder, certificate issuer, cryptographic details, serial number, and validity period, and the digital signature, which validates the certificate's authenticity.
X.509 certificates work on the basis of public-private key pairs and asymmetric encryption to establish secure communication. The public key, like the name suggests, is openly visible and freely shared, while the private key remains confidential. When a certificate signing request is raised and is validated, the issuing CA signs the X.509 certificate with its private key. This digital signature, an encoded hash from a trusted CA, authenticates both the certificate and the identity of its holder.
In the realm of internet communications, when users connect to websites, the web server presents its X.509 certificate, signed by a public CA, to the user's browser. The browser then verifies the domain's authenticity by validating the certificate against the issuing CA's public key. Once the certificate is verified, an encrypted session key is generated by the browser using the web server's public key. This session key can only be decrypted by the web server's private key, thereby establishing secure communication.
Validation of X.509 certificates in PKI is based on a sequential trust system called the chain of trust. This sequence begins with the root CA and extends downward to the certificate holder. In most implementations, one or more intermediate certificates connect the server or digital entity to the root CA, forming a trust pathway.
There are different trust models in PKI, namely the hierarchical trust model, single CA model, and bridge model, amongst others. X.509 certificates predominantly utilize the hierarchical trust model to validate certificates. The trust structure operates hierarchically from the top down, with the root certificate functioning as the foundational trust anchor. This linear trust model places the root certificate at the highest level, while end-entity certificates reside at the bottom. Connecting these points are one or more intermediate certificates that create a chain, all ultimately linking back to the root CA.
X.509 certificates contain identifying information about the certificate holder, issuer, and a digital signature.
Version number: The X.509 version of the certificate. There are three versions of X.50: version 1 (v1) of the X.509 standard, which was released in 1988; version 2 (v2), published in 1993, added two new fields; and version (v3), the latest version of the X.509 standard. Certificates adhering to v3 of X.509 also have certificate extensions embedded in them.
Serial number: The unique serial number of the certificate given by the issuing CA
Signature algorithm: The type of cryptographic algorithm used by the issuing CA to sign the certificate.
Issuer name: The distinguished name (DN) of the CA that issued the certificate.
Validity period: The duration for which the X.509 certificate will be valid for.
Subject: The DN of the entity that the certificate is issued to, i.e., the certificate holder.
Subject public key information: The public key associated with the certificate holder.
Issuer unique ID (introduced in v2): A unique identifier for the issuing CA. This is defined by the issuing CA.
Subject unique ID (introduced in v2): A unique identifier for the certificate holder or subject. This is also defined by the issuing CA.
Digital signature: A cryptographic encryption based on the private key of the issuing CA.
Certificate extensions (introduced in v3): Certificate extensions, defined in v3 of X.509, help provide more information about the certificate holder, public key, and how the certificate can be used based on the type of extension specified.
For example, the Basic Constraints extension specifies whether the certificate is a CA certificate or an end-entity certificate, while the Subject Alternative Name extension allows the certificate to be associated to multiple entities or domains, known as multi-domain or SAN certificates.
There are numerous types of X.509 certificates used to establish secure digital communications today. Some of these include:
Domain validation (DV) certificates are used to verify if the entity has authority or ownership of the specified domain. DV certificates are issued quickly, usually in a matter minutes or hours, and are mostly utilized by smaller websites or blogs.
Not only do organization validation (OV) certificates verify the ownership of a domain and if the subject or certificate holder has the authority over the domain, they verify organizational information of the entity as well. OV certificates display the organization's name in the certificate details, providing users with additional assurance about the holder's legitimacy. They are ideal for commercial websites and larger organizations.
Extended validation (EV) certificates, like the name suggests, go a step further than OV certificates by adopting a rigorous validation process that includes the organization's identity, including checking legal existence, physical location, and operational status. Naturally, the verification process for EV certificates takes several weeks. They are largely used by organizations that handle sensitive information, including banking and financial institutions and e-commerce websites.
Wildcard certificates are certificates that not only validate the main domain (i.e., www.zylker.com) but also its first-level sub domains (i.e., mail.zylker.com, docs.zylker.com, etc). Although these certificates help organizations that have multiple sub-domains save cost and time, they present increased security risks if the private key is compromised.
Multi-domain certificates help verify multiple domains in the same certificate. Because they contain the Subject Alternative Name (SAN) extension, they are also called SAN certificates. They are ideal for organizations managing multiple domains, and like wildcard certificates, they present increased security concerns should the private key be somehow compromised.
These are the X.509 certificates used by developers and software publishers to sign their code or product and help verify the identity of the software publisher. Code signing certificates help the user verify that the code hasn't been altered or tampered with post signing and that the product is authentic and not malware.
While X.509 certificates signed by publicly trusted CAs are the ideal option for external communications, businesses usually employ thousands of certificates for intranet communications and in test environments. In such cases, it may be too expensive to pay $60 per certificate per annum for every single internal certificate. Therefore, organizations serve as their own CAs and self-sign certificates required to establish secure intranet communications. These are called self-signed certificates.
X.509 certificates have become integral to modern-day digital communications and are utilized by multiple multiple technologies and security protocols, including:
X.509 certificates form the foundational layer of the SSL/TLS protocols, which help encrypt and establish secure communications across the digital realm today. X.509 certificates help verify the authenticity and identity of the sender and receiver involved in the communication.
X.509 certificates are used in Secure/Multipurpose Internet Mail Extensions, or the S/MIME protocol, to secure email communications. X.509 certificates in the context of emails help serve two primary functions: encrypting email content to ensure only intended recipients can read messages and digitally signing emails to verify sender identity and message integrity.
As mentioned in the previous section, X.509 certificates help developers and software publishers verify the authenticity of the software and ensure that the code hasn't been tampered with, helping establish trust with the end users and guard against malware attacks.
Internet of Things (IoT) security has increasingly adopted X.509 certificates for device authentication and secure communications. X.509 certificates provide a scalable way to authenticate thousands or even millions of IoT devices without managing individual credentials. They also help push updates securely over the air and encrypt data transmission between devices and cloud services.
Obtaining an X.509 certificate involves creating a public-private key pair, raising a certificate signing request (CSR), which contains all the required information about the entity or organization requesting the certificate along with its public key. The CA then validates the information in the CSR; if everything checks out, the CA signs the certificate with its private key. In the case of self-signed certificates, the organization acts as its own CA. Once the certificate is signed, the organization can deploy it where necessary.
Organizations typically have thousands of X.509 certificates across their enterprise. It is impossible to manage all of them manually and track their expiry dates, renewals, and so on. Certificate management tools like ManageEngine Key Manager Plus help bridge this gap by enabling organizations to automate X.509 certificate management across their life cycle. With Key Manager Plus, organizations can discover, create, inventory, manage, and renew all their digital certificates from a single console.
X.509 is an ITU standard that outlines the format and functioning of digital certificates. PKI, although primarily functioning by making use of X.509 certificates, is a complete infrastructure and overarching framework for secure digital communication that involves multiple protocols and components.
SSL is a protocol that encrypts data sent between devices on the internet, while X.509 is an international standard that outlines the format and functioning of digital certificates.
End-entity certificates are used to identify and authenticate end users, devices, servers, or applications and fall at the bottom of the trust chain, while public CA-issued certificates or root CA certificates stand at the top of the trust chain—they are responsible for maintaining trust in the PKI and can sign and issue certificates lower in the hierarchy.
Registration authorities serve as intermediaries between the root CA and the end entity. They help verify identities and other information pertaining to the entity requesting an X.509 certificate.
Yes, X.509 certificates have a defined validity period and will expire post their validity period if not renewed on time.