• 2025-04-29

IT Certification Exams and Digital Signatures

Exams of IT General considerations IT Certification Exams RSA-based signatures RSASSA-PSS algorithms Secure elliptic curves

Minimum data fields – Digital Certificates and Certification Authorities

10.2.1 Minimum data fields

According to X.509v1, a digital certificate has to contain at least the following eight data fields:

  • Version number: This is the version number of the X.509 standard in use. Current certificates should always have the version number 3.
  • Serial number: The serial number of the certificate. It must be unique within all certificates issued by the CA.
  • OID of signature algorithm: OID stands for Object Identifier, a globally unique identifier of an object standardized by the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). Here, the OID of the algorithm used for signing the certificate is provided.
  • Issuer name: The DN of the issuing CA.
  • Subject name: The DN of the certificate owner.
  • Subject public key info: This includes the OID of the public key algorithm and the public key of the owner itself.
  • Validity period: The validity period of the certificate is specified by a Not Before / Not After pair of dates.
  • Signature value: The signature value of the CA’s signature over the certificate.

Figure 10.1 shows some of these minimum data fields for the certificate of the web server www.amazon.com within Google Chrome’s certificate viewer.

Figure 10.1: X.509v3 certificate of www.amazon.com as shown by Google Chrome’s certificate viewer

It soon turned out that the minimum data fields defined in X.509v1 were not enough in practice. For example, there is no way to specify the purpose of the public key contained in the certificate or to link the certificate to a certificate policy, a document that allows a relying party to assess the level of trust to put in the certificate.

10.2.2 X.509v3 extension fields

In X.509v3, a syntax for defining arbitrary certificate extensions was specified. Moreover, there is a list of extensions that are now a fixed part of the standard. Note that most of these extensions are optional parts of an X.509 certificate. However, each extension is marked as Critical or Not Critical. If the relying party detects a critical extension it does not support, the certificate must be classified as Not Valid. Here is a list of some of the most often used extensions:

Leave a Reply

Your email address will not be published. Required fields are marked *