liminfoX.509 Certificate Reference
Free reference guide: X.509 Certificate Reference
About X.509 Certificate Reference
The X.509 Certificate Reference is a searchable guide covering the structure and fields of X.509 digital certificates used in TLS/SSL, code signing, and PKI systems. The Subject section explains Common Name (CN), Organization (O), Organizational Unit (OU), Country (C), Issuer CA identification, unique serial numbers, and the DV/OV/EV validation level hierarchy.
Certificate validity and identity fields are covered including Not Before/Not After date ranges, Subject Alternative Name (SAN) entries for multi-domain and wildcard certificates, and IP address SAN entries. The Key Usage section details Digital Signature, Key Encipherment, Certificate Sign, and CRL Sign flags, plus Extended Key Usage OIDs for TLS server/client authentication and code signing.
The reference also covers certificate extensions (Basic Constraints for CA flag and path length, Authority and Subject Key Identifiers for chain linking), revocation mechanisms (CRL Distribution Points and OCSP real-time status checking with OpenSSL commands), and Certificate Transparency logging with SCT timestamps and crt.sh lookup.
Key Features
- Subject field reference covering CN, O, OU, C, Issuer, and serial number identification
- Subject Alternative Name (SAN) entries for multi-domain, wildcard, and IP address certificates
- Key Usage and Extended Key Usage flags with OID values for TLS and code signing
- Basic Constraints extension explaining CA flag, leaf certificates, and path length constraints
- Authority and Subject Key Identifier fields for certificate chain linking
- CRL Distribution Points and OCSP real-time certificate status verification
- Certificate Transparency logging with SCT timestamps and crt.sh public log queries
- DV, OV, and EV validation level comparison with cost and verification scope differences
Frequently Asked Questions
What is the Subject field in an X.509 certificate?
The Subject field identifies the certificate holder using Distinguished Name attributes: Common Name (CN) for the domain or entity name, Organization (O) for the legal entity, Organizational Unit (OU) for department, Country (C), State (ST), and Locality (L). For example: CN=www.example.com, O=Example Inc., C=US.
What is a Subject Alternative Name (SAN) and why is it important?
SAN allows a single certificate to cover multiple domain names, wildcards, and IP addresses. For example: DNS:www.example.com, DNS:example.com, DNS:*.example.com, IP:192.168.1.1. Modern browsers require SAN entries rather than relying solely on the CN field for domain validation.
What is the difference between DV, OV, and EV certificates?
DV (Domain Validation) only verifies domain ownership and is typically free or low cost. OV (Organization Validation) additionally verifies the organization's legal identity. EV (Extended Validation) provides the highest assurance with thorough vetting of the legal entity, historically shown with a green address bar.
How does OCSP work for real-time certificate status checking?
OCSP (Online Certificate Status Protocol) allows clients to query an OCSP responder URL to check whether a certificate has been revoked in real time, rather than downloading full CRL files. You can test with OpenSSL: openssl ocsp -issuer ca.pem -cert server.pem -url [responder URL].
What do Key Usage and Extended Key Usage fields control?
Key Usage specifies permitted cryptographic operations: Digital Signature, Key Encipherment, Certificate Sign, and CRL Sign. Extended Key Usage adds application-specific purposes identified by OIDs, such as TLS Web Server Authentication (1.3.6.1.5.5.7.3.1), TLS Web Client Authentication (1.3.6.1.5.5.7.3.2), and Code Signing (1.3.6.1.5.5.7.3.3).
What is the Basic Constraints extension and path length?
Basic Constraints indicates whether the certificate is a CA (CA:TRUE) or an end-entity leaf certificate (CA:FALSE). The pathlen value limits how many intermediate CAs can exist below this CA in the chain. pathlen:0 means the CA can only issue leaf certificates, not other CA certificates.
What is Certificate Transparency and why does it matter?
Certificate Transparency (CT) requires CAs to log all issued certificates in publicly auditable logs. Each certificate receives a Signed Certificate Timestamp (SCT) proving it was logged. This helps detect misissued certificates and rogue CAs. You can search public logs at crt.sh to find all certificates issued for a domain.
How are Authority Key Identifier and Subject Key Identifier used?
Subject Key Identifier (SKI) is a hash of the certificate's own public key, providing a unique identifier. Authority Key Identifier (AKI) references the SKI of the issuing CA's certificate, enabling chain construction. Together they allow systems to link a leaf certificate through intermediates up to the root CA.