LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a digital certificate (X.509), what does it contain, and how is it issued?

A digital certificate is a CA-signed document binding a public key to an identity (person, organisation, server). The standard format is X.509. Issuance happens at a Registration Authority (RA) which verifies identity, then a Certificate Authority (CA) signs the certificate.

Issuance flow (slide):

  1. Applicant proves identity to RA (passport, company documents, domain ownership).
  2. RA bundles (name, public key, validity period, attributes, …) into a certificate body.
  3. CA signs the body with the CA's private key → certificate.
  4. CA publishes the certificate (typically a directory service).

X.509 certificate fields:

Field Purpose
Version X.509v1 / v2 / v3
Serial Number Unique per CA — used for revocation lookups
Signature Algorithm e.g. sha256WithRSAEncryption
Issuer Name The CA that signed this
Validity Not Before / Not After dates
Subject Name Who this cert is about (CN, O, OU, C, …)
Subject Public Key Info The actual public key + algorithm
Issuer Unique ID (optional) Disambiguator if CA names collide
Subject Unique ID (optional) Same for subject
Extensions (optional, v3) Subject Alternative Names, EKU, CRL distribution points, Authority Information Access, …
Certificate Signature Algorithm (Repeated)
Certificate Signature CA's signature over the body

The "certificate fingerprint" you sometimes paste into trust dialogs is a SHA-256 hash of the whole DER-encoded cert. It's used as a short identifier — not part of the cert itself, but computed by the verifier.

Tip: openssl x509 -in cert.pem -text -noout dumps all of this in human-readable form. Worth running once on a real certificate just to see what's actually in there.

From Quiz: ISF / Asymmetric Cryptography | Updated: Jul 14, 2026