Skip to content

X.509 Standard

TL;DR: X.509 is the international standard defining the format of public key certificates. Originally developed by ITU-T and adapted for internet use in RFC 5280, it specifies certificate structure, extensions, and validation rules that underpin all modern PKI implementations.

Overview

The X.509 standard is the foundation of modern Public Key Infrastructure. Every certificate you encounter—whether securing HTTPS connections, signing code, or authenticating email—follows the X.509 format. Understanding this standard is essential for anyone implementing, operating, or troubleshooting PKI systems.

First published in 1988 as part of the X.500 directory services framework, X.509 has evolved through multiple versions. Version 3, introduced in 1996, added the extension mechanism that enables modern PKI features like Subject Alternative Names, Certificate Transparency, and policy constraints. The internet-specific profile is defined in RFC 52801, which adapts the ITU-T standard for internet use and is the primary reference for PKI implementations.

X.509 defines not just certificates but also Certificate Revocation Lists (CRLs), attribute certificates, and certification path validation algorithms. Its adoption across operating systems, browsers, programming languages, and security protocols makes it the universal language of digital trust.

Related Pages: Certificate Anatomy, What Is Pki, Ocsp And Crl, Chain Validation Errors

Key Concepts

Standard Evolution and Versions

X.509 v1 (1988)

The original specification with basic fields:

  • Serial number
  • Signature algorithm
  • Issuer DN
  • Validity period
  • Subject DN
  • Subject public key
  • CA signature

Limitations: No extensions, no way to specify certificate purposes or additional names. Insufficient for modern PKI needs.

Current Use: Essentially obsolete. No modern PKI should issue v1 certificates.

X.509 v2 (1993)

Added two optional identifier fields:

  • Issuer Unique Identifier
  • Subject Unique Identifier

Purpose: Intended to handle DN reuse after revocation. Proven to be an inadequate solution.

Current Use: Also obsolete. The unique identifier approach was superseded by extensions.

X.509 v3 (1996-Present)

Introduced the extension mechanism, enabling:

  • Subject Alternative Names (SAN)
  • Key Usage constraints
  • Certificate Policies
  • CRL Distribution Points
  • Authority Information Access
  • Hundreds of other extensions

Significance: This is the version used for all modern certificates. The extension mechanism provides the flexibility needed for evolving security requirements without changing the core standard1.

Current Use: Universal. All publicly-trusted certificates must be v3. CA/Browser Forum Baseline Requirements mandate v32.

ITU-T vs. IETF Standards

ITU-T X.509 (ISO/IEC 9594-8)

The original standard published by the International Telecommunication Union:

  • Broader scope including X.500 directory integration
  • More general purpose
  • Updates less frequently
  • Current version: X.509 (10/2019)3

RFC 5280 - Internet X.509 Profile

The IETF adaptation for internet use:

  • Specifies internet-specific constraints
  • Defines required and optional extensions
  • Provides validation algorithms
  • References additional RFCs for specific extensions
  • Updates more frequently through internet standards process

Key Differences:

  • RFC 5280 prohibits some X.509 features (e.g., v1 and v2 certificates)
  • RFC 5280 mandates extensions that X.509 makes optional
  • RFC 5280 specifies DNS name encoding in SAN (X.509 is protocol-agnostic)
  • RFC 5280 defines internet-specific validation behavior

For Internet PKI: RFC 5280 is the authoritative reference, not the ITU-T standard.

ASN.1 Encoding

X.509 certificates use Abstract Syntax Notation One (ASN.1) for structure definition and Distinguished Encoding Rules (DER) for binary encoding.

ASN.1 Structure

ASN.1 is a language for defining data structures independent of implementation. X.509 certificate structure in ASN.11:

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
     extensions      [3]  EXPLICIT Extensions OPTIONAL }

Key Points:

  • SEQUENCE indicates ordered collection of fields
  • [0], [1], [2], [3] are context-specific tags for optional fields
  • OPTIONAL fields may be omitted
  • DEFAULT specifies assumed value if absent

DER Encoding

Distinguished Encoding Rules provide canonical binary encoding:

  • Each ASN.1 type has specific encoding rules
  • Ensures unique encoding (critical for signatures)
  • Tag-Length-Value (TLV) structure
  • Network byte order (big-endian)

Example: Integer encoding 

Tag: 0x02 (INTEGER type)
Length: 0x01 (1 byte)
Value: 0x05 (decimal 5)
Result: 02 01 05

Why DER Matters: Digital signatures are computed over the DER-encoded TBSCertificate. Any variation in encoding would invalidate the signature. DER's canonical encoding ensures consistent signature validation.

PEM Encoding

Privacy-Enhanced Mail (PEM) format wraps base64-encoded DER:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKZPtE4H7fkrMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
[... base64 encoded data ...]
-----END CERTIFICATE-----

Characteristics:

  • Base64 encoding of DER certificate
  • Header: -----BEGIN CERTIFICATE-----
  • Footer: -----END CERTIFICATE-----
  • 64 characters per line (typically)
  • Human-transportable (email, copy-paste)

Common Variants:

  • BEGIN/END CERTIFICATE REQUEST - CSR (PKCS#10)
  • BEGIN/END RSA PRIVATE KEY - Unencrypted private key
  • BEGIN/END ENCRYPTED PRIVATE KEY - Encrypted private key (PKCS#8)
  • BEGIN/END CERTIFICATE CHAIN - Multiple certificates

Extension Framework

Extensions are the key innovation in X.509 v3, enabling extensibility without breaking backward compatibility.

Extension Structure

Each extension has:

  • OID (Object Identifier): Unique identifier (e.g., 2.5.29.17 for SAN)
  • Critical flag: Boolean indicating if unknown extensions must cause rejection
  • Value: DER-encoded extension-specific data
Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID
     }

Critical vs. Non-Critical

Critical Extensions: Must be processed and understood by the relying party. If the extension is not recognized, the certificate must be rejected1.

Use Case: Security-critical extensions like Key Usage, Basic Constraints - Ensures relying party respects security constraints - Prevents misuse if software doesn't understand restrictions

Non-Critical Extensions: Can be safely ignored if not understood.

Use Case: Informational extensions like Certificate Policies, Authority Information Access - Provides additional context but doesn't affect security if ignored - Allows gradual deployment of new extensions

Example Scenarios:

Certificate with critical Key Usage restricting to digital signature only:

  • Old software that doesn't understand Key Usage: Rejects certificate (correct behavior)
  • Software that understands Key Usage: Allows only signing operations
  • This prevents accidental key misuse by legacy software

Certificate with non-critical Certificate Transparency SCTs:

  • Old software that doesn't understand CT: Ignores extension, accepts certificate
  • Software that understands CT: Validates SCTs
  • Allows CT adoption without breaking legacy clients

Standard Extensions (RFC 5280)

Key Usage (2.5.29.15) - Critical 

KeyUsage ::= BIT STRING {
     digitalSignature        (0),
     nonRepudiation          (1),
     keyEncipherment         (2),
     dataEncipherment        (3),
     keyAgreement            (4),
     keyCertSign             (5),
     cRLSign                 (6),
     encipherOnly            (7),
     decipherOnly            (8) }

Extended Key Usage (2.5.29.37) 

ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

KeyPurposeId ::= OBJECT IDENTIFIER

Common OIDs:

  • 1.3.6.1.5.5.7.3.1 - serverAuth (TLS server)
  • 1.3.6.1.5.5.7.3.2 - clientAuth (TLS client)
  • 1.3.6.1.5.5.7.3.3 - codeSigning
  • 1.3.6.1.5.5.7.3.4 - emailProtection

Subject Alternative Name (2.5.29.17) 

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
     otherName                       [0]     OtherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
     directoryName                   [4]     Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

Basic Constraints (2.5.29.19) - Critical 

BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

Authority Information Access (1.3.6.1.5.5.7.1.1) 

AuthorityInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

AccessDescription  ::=  SEQUENCE {
        accessMethod          OBJECT IDENTIFIER,
        accessLocation        GeneralName  }

Common access methods:

  • 1.3.6.1.5.5.7.48.1 - OCSP
  • 1.3.6.1.5.5.7.48.2 - caIssuers

Certificate Path Validation

RFC 5280 defines the algorithm for validating certificate chains (certification paths). This is one of the most critical and complex aspects of the standard.

Validation Inputs

  • Certificate to validate (end-entity or intermediate)
  • Trust anchors (set of trusted root certificates)
  • Time (validation time, typically current time)
  • Initial policies (acceptable certificate policies)
  • Initial constraints (name constraints, path length)

Validation Steps (Simplified)

  1. Build Certification Path: Construct chain from end-entity to trust anchor
  2. Use AIA extension to find issuer certificates
  3. Validate each certificate was issued by the next certificate in chain

  4. Continue until reaching a trust anchor

  5. Verify Signatures: For each certificate in path

  6. Extract signature algorithm and public key from issuer
  7. Verify signature over TBSCertificate matches

  8. Reject if signature invalid

  9. Check Validity Dates: For each certificate

  10. Ensure current time is after notBefore
  11. Ensure current time is before notAfter

  12. Reject if outside validity period

  13. Check Revocation Status

  14. Query CRL or OCSP for each certificate
  15. Reject if certificate revoked

  16. Handle "unknown" status per policy

  17. Validate Basic Constraints

  18. Ensure CA certificates have CA:TRUE
  19. Ensure end-entity has CA:FALSE

  20. Check path length constraints honored

  21. Process Name Constraints (if present)

  22. Verify subject names permitted by constraints

  23. Verify no excluded names present

  24. Policy Processing

  25. Track certificate policies through chain
  26. Validate acceptable policies present

  27. Process policy mapping if present

  28. Process Extensions

  29. Process all critical extensions
  30. Reject if unknown critical extension present
  31. Apply extension constraints (Key Usage, EKU, etc.)

Outcome: Valid or invalid, with reason for invalidity.

Common Validation Failures

  • Expired certificate: Current time outside validity period
  • Untrusted chain: Cannot build path to trust anchor
  • Signature verification failure: Certificate tampered with or wrong issuer
  • Revoked: Certificate appears in CRL or OCSP response
  • Unknown critical extension: Certificate contains critical extension not understood
  • Name mismatch: Certificate doesn't match requested name (hostname, email, etc.)
  • Key usage violation: Certificate used for purpose not specified in extensions
  • Path length violation: Too many intermediate CAs in chain

Practical Guidance

Working with X.509 Certificates

Parsing Certificates

Using OpenSSL: 

# Display full certificate in text format
openssl x509 -in certificate.pem -text -noout

# Display specific fields
openssl x509 -in certificate.pem -noout -subject
openssl x509 -in certificate.pem -noout -issuer
openssl x509 -in certificate.pem -noout -dates
openssl x509 -in certificate.pem -noout -serial

# Extract public key
openssl x509 -in certificate.pem -noout -pubkey

# Check signature algorithm
openssl x509 -in certificate.pem -noout -text | grep "Signature Algorithm"

# Display extensions
openssl x509 -in certificate.pem -noout -ext subjectAltName
openssl x509 -in certificate.pem -noout -ext keyUsage
openssl x509 -in certificate.pem -noout -ext extendedKeyUsage

Convert Between Formats: 

# PEM to DER
openssl x509 -in certificate.pem -outform DER -out certificate.der

# DER to PEM
openssl x509 -in certificate.der -inform DER -out certificate.pem

# View DER certificate
openssl x509 -in certificate.der -inform DER -text -noout

# Extract certificate from PKCS#12
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out certificate.pem

Validating Certificates

Basic Validation: 

# Verify certificate against CA certificate
openssl verify -CAfile ca-cert.pem certificate.pem

# Verify with intermediate CA
openssl verify -CAfile root.pem -untrusted intermediate.pem certificate.pem

# Verify with CRL checking
openssl verify -CAfile ca-cert.pem -crl_check -CRLfile crl.pem certificate.pem

# Check certificate dates
openssl x509 -in certificate.pem -noout -checkend 86400  # Check if expires in 24h

Validate Certificate Chain: 

# Build and verify full chain
cat server-cert.pem intermediate.pem root.pem > chain.pem
openssl verify -CAfile root.pem chain.pem

# Test against server
openssl s_client -connect example.com:443 -CAfile ca-bundle.pem

Analyzing Certificate Extensions

Check for Required Extensions (TLS server certificate): 

# Must have Subject Alternative Name
openssl x509 -in cert.pem -noout -ext subjectAltName
# Output should contain DNS names

# Must have Key Usage
openssl x509 -in cert.pem -noout -ext keyUsage
# Should include: Digital Signature, Key Encipherment

# Must have Extended Key Usage
openssl x509 -in cert.pem -noout -ext extendedKeyUsage
# Should include: TLS Web Server Authentication

Check CA Certificate: 

# Must have Basic Constraints with CA:TRUE
openssl x509 -in ca-cert.pem -noout -ext basicConstraints
# Output: CA:TRUE, pathlen:X

# Must have Key Usage with keyCertSign
openssl x509 -in ca-cert.pem -noout -ext keyUsage
# Should include: Certificate Sign, CRL Sign

Compliance Checking

CA/Browser Forum Requirements

For publicly-trusted TLS certificates2:

Required Extensions:

  • Subject Alternative Name (critical if Subject DN empty)
  • Certificate Policies (with DV/OV/EV OID)
  • Authority Information Access (with OCSP and caIssuers)
  • Basic Constraints (CA:FALSE for end-entity)
  • Key Usage (critical)
  • Extended Key Usage (with serverAuth)

Prohibited:

  • Version 1 or 2 certificates
  • OU field in Subject DN (deprecated as of April 2024)
  • Validity period exceeding 398 days (825 days prior to March 2018)
  • MD5 or SHA-1 signatures
  • RSA keys less than 2048 bits
  • Certificate serial numbers with less than 64 bits entropy

Validation Requirements:

  • Domain control validation for DV
  • Organization validation for OV
  • Extended validation for EV
  • Certificate Transparency logging (2+ SCTs)

Automated Compliance Testing

# Check validity period
openssl x509 -in cert.pem -noout -startdate -enddate

# Calculate days valid
not_after=$(openssl x509 -in cert.pem -noout -enddate | cut -d= -f2)
not_before=$(openssl x509 -in cert.pem -noout -startdate | cut -d= -f2)
days=$(( ($(date -d "$not_after" +%s) - $(date -d "$not_before" +%s)) / 86400 ))
echo "Valid for $days days"

# Check key size
openssl x509 -in cert.pem -noout -text | grep "Public-Key:"

# Check signature algorithm
openssl x509 -in cert.pem -noout -text | grep "Signature Algorithm:" | head -1

# Check for OU field (should not be present post-April 2024)
openssl x509 -in cert.pem -noout -subject | grep "OU="

Implementation Guidance

Generating Compliant Certificates

Configuration File (openssl.cnf): 

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = Example Corporation
CN = www.example.com

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
basicConstraints = critical, CA:FALSE

[ alt_names ]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = api.example.com

Generate CSR: 

openssl req -new -sha256 -nodes \
  -config openssl.cnf \
  -keyout private.key \
  -out certificate.csr

CA Certificate Configuration

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
certificatePolicies = 1.3.6.1.4.1.1234.1.1.1

Common Pitfalls

  • Using deprecated certificate versions: Issuing v1 or v2 certificates in modern PKI
  • Why it happens: Legacy tools or configurations copied from old systems
  • How to avoid: Always specify v3 in certificate generation; validate version after issuance

  • How to fix: Reissue certificates as v3 with appropriate extensions

  • Missing critical extensions: End-entity certificates without required extensions (SAN, Key Usage, EKU)

  • Why it happens: Minimal CA configuration; copying from examples without understanding requirements
  • How to avoid: Use comprehensive configuration templates; validate against CA/B Forum requirements

  • How to fix: Reissue certificates with complete extension set; revoke non-compliant certificates

  • Incorrect critical flag settings: Marking informational extensions as critical or security extensions as non-critical

  • Why it happens: Misunderstanding extension criticality semantics
  • How to avoid: Basic Constraints and Key Usage should be critical; AIA and CRL DP typically non-critical

  • How to fix: Reissue with correct criticality; document rationale for deviations

  • DER encoding errors: Non-canonical encoding causing signature validation failures

  • Why it happens: Custom ASN.1 encoding implementations; bugs in certificate generation libraries
  • How to avoid: Use standard libraries (OpenSSL, BouncyCastle); validate encoding with multiple parsers

  • How to fix: Regenerate certificate with compliant encoder; never manually edit DER

  • Path validation implementation errors: Incorrect chain building or validation logic

  • Why it happens: RFC 5280 validation algorithm is complex; edge cases not tested
  • How to avoid: Use established libraries; comprehensive test suite including negative cases
  • How to fix: Update validation logic; test against known-good and known-bad certificate chains

Security Considerations

Extension Manipulation Attacks

Attackers may attempt to exploit improper extension processing:

  • Unknown critical extension bypass: If validator ignores unknown critical extensions, attacker can add restrictions that are not enforced

  • Mitigation: Strictly enforce critical extension processing; reject certificates with unknown critical extensions

  • Basic Constraints manipulation: Marking end-entity certificate as CA, enabling certificate issuance

  • Mitigation: Validate Basic Constraints in entire chain; reject end-entity with CA:TRUE

  • Key Usage violations: Using certificate for unauthorized purposes (e.g., signing when only encryption permitted)

  • Mitigation: Enforce Key Usage and Extended Key Usage at protocol layer; reject inappropriate use

Signature Algorithm Downgrade

X.509 certificates contain signature algorithm twice (in TBSCertificate and outer Certificate structure). These must match.

Attack Scenario: Attacker modifies outer algorithm identifier to weaker algorithm, hoping validator uses it for verification4.

Mitigation: RFC 5280 requires both algorithm identifiers match exactly. Reject if they differ.

Serial Number Predictability

Historically, CAs generated sequential serial numbers. This enabled collision attacks where attacker pre-computed certificate with same serial number5.

Mitigation: RFC 5280 now requires at least 64 bits of entropy in serial numbers. Modern CAs use cryptographically random serial numbers.

Name Constraint Bypass

Name constraints allow CA to restrict which names subordinate CAs can issue for. Improper validation could allow constraint bypass.

Attack: Subordinate CA issues certificate for name outside permitted subtree.

Mitigation: Strictly enforce name constraints during path validation; reject certificates violating constraints.

Real-World Examples

Case Study: X.509v1 Intermediate Certificate Vulnerability (2008)

Some CAs issued X.509 v1 intermediate certificates, which lack the Basic Constraints extension. Without this extension, there's no explicit indication the certificate is a CA certificate, but some software treated v1 certificates as potentially being CAs.

Impact: End-entity could be used to issue other certificates, breaking the trust model.

Resolution: Industry moved to requiring v3 certificates with explicit Basic Constraints. Modern browsers reject v1 intermediates.

Key Takeaway: Extensions aren't optional for modern PKI. Version 3 with explicit constraints is mandatory for security.

Case Study: Critical Extension Handling in Browsers

In 2011, researchers found that some browsers didn't properly process critical extensions, accepting certificates they should have rejected.

Impact: Security constraints marked as critical were not enforced, allowing certificate misuse.

Resolution: Browser vendors fixed extension processing; CA/Browser Forum codified extension requirements.

Key Takeaway: Critical extensions exist for a reason. Validators must reject certificates with unknown critical extensions.

Case Study: Certificate Transparency Integration (2013+)

Certificate Transparency required extending X.509 without breaking existing validators. CT used non-critical extensions for Signed Certificate Timestamps (SCTs).

Implementation: New extension (1.3.6.1.4.1.11129.2.4.2) marked non-critical allows:

  • Old validators: Ignore extension, accept certificate
  • CT-aware validators: Validate SCTs, enforce CT requirements

Key Takeaway: X.509 extension framework enables evolution without breaking backward compatibility. Non-critical extensions allow gradual feature adoption.

Further Reading

Essential Resources

Advanced Topics

References

Change History

Date Version Changes Reason
2025-11-09 1.0 Initial creation Foundational standard documentation

Quality Checks:

  • [x] All claims cited from authoritative sources
  • [x] Cross-references validated
  • [x] Practical guidance included
  • [x] Examples are current and relevant
  • [x] Security considerations addressed

  1. Cooper, D., et al. "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile." RFC 5280, May 2008. Rfc-editor - Rfc5280 

  2. CA/Browser Forum. "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates," Version 2.0.0, November 2023. Cabforum - Baseline Requirements Documents 

  3. ITU-T Recommendation X.509. "Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks." October 2019. Itu - T Rec X.509 

  4. Stevens, M., et al. "Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate." CRYPTO 2009. Demonstrated algorithm substitution attacks. Tue - Rogue Ca 

  5. Sotirov, A., et al. "MD5 considered harmful today: Creating a rogue CA certificate." 25th Chaos Communication Congress, 2008. Exploited predictable serial numbers in collision attack.