X.509 certificates

Public keys can be freely disseminated. In fact, the success of the various public key protocols requires a systematic and trustworthy way of distributing public keys and securely storing their associated private keys. The X.509 digital certificate is the packaging that enables the distribution of a single public key. The X.509 standard is the subsection of the International Telecommunication Union (ITU) X.500 directory standard that defines certificates.

The X.509 digital certificate is a data structure that contains, at minimum, the following fields:

The distinguished name of the owner of the public key, also called the subject's name
The distinguished name of the issuer of the certificate, also called the issuer's name
The public key itself
The time period during which the certificate is valid, also called the validity period
The certificate's serial number as designated by the issuer
The issuer's digital signature

In addition to these required fields, an X.509 certificate might contain one or more extensions that hold information about how the key is to be used (a KeyUsage extension) or how the certificate authority conducts its business (a CertificatePolicies extension).

In its simplest form, a digital certificate is a binding between a named entity (a person or device) and a public key. It is a declaration that, for example, party A owns public key 123. Digital certificates can be issued by certificate authorities or they can be self-issued. Certificate authorities (CAs) are often well-known commercial organizations or they can be local or internal organizations. When a certificate authority uses its private key to sign and issue a certificate, it makes the declaration that binds the entity (subject) to its public key. When an organization issues its own certificate with itself as subject and issuer, signing with its own private key, the certificate is a called a self-signed certificate.