What is a digital certificate (X.509), what does it contain, and how is it issued?
A digital certificate is a CA-signed document binding a public key to an identity (person, organisation, server). The standard format is X.509. Issuance happens at a Registration Authority (RA) which verifies identity, then a Certificate Authority (CA) signs the certificate.
Issuance flow (slide):
- Applicant proves identity to RA (passport, company documents, domain ownership).
- RA bundles
(name, public key, validity period, attributes, …)into a certificate body. - CA signs the body with the CA's private key → certificate.
- CA publishes the certificate (typically a directory service).
X.509 certificate fields:
| Field | Purpose |
|---|---|
| Version | X.509v1 / v2 / v3 |
| Serial Number | Unique per CA — used for revocation lookups |
| Signature Algorithm | e.g. sha256WithRSAEncryption |
| Issuer Name | The CA that signed this |
| Validity | Not Before / Not After dates |
| Subject Name | Who this cert is about (CN, O, OU, C, …) |
| Subject Public Key Info | The actual public key + algorithm |
| Issuer Unique ID (optional) | Disambiguator if CA names collide |
| Subject Unique ID (optional) | Same for subject |
| Extensions (optional, v3) | Subject Alternative Names, EKU, CRL distribution points, Authority Information Access, … |
| Certificate Signature Algorithm | (Repeated) |
| Certificate Signature | CA's signature over the body |
The "certificate fingerprint" you sometimes paste into trust dialogs is a SHA-256 hash of the whole DER-encoded cert. It's used as a short identifier — not part of the cert itself, but computed by the verifier.
Tip: openssl x509 -in cert.pem -text -noout dumps all of this in human-readable form. Worth running once on a real certificate just to see what's actually in there.