An X.509 certificate contains all the information required to identify the server or client, plus the public key of the certificate owner. Certificates are stored in separate files. When a connection is negotiated, TLS uses the certificate files to identify the server and, in some applications, also the client.
Certificate Authority
Certificates are issued by a central authority, the Certificate Authority (CA), by signing these with the CA’s private key once the identity of the organization named in the certificate and of an authorized representative has been checked. The signature is contained in the certificate and is disclosed at the time of connection setup so that the client can verify the trustworthiness of the certificate. The server can also request a certificate from the client. However, in practice this rarely happens.
Certificates which are signed by a CA can be declared invalid in a Certificate Revocation List (CRL).
X.509 certificates
X.509 certificates are used in conjunction with TLS. X.509 certificates work with a hierarchical trust structure, at the top of which the Certificate Authorities are legally liable for ensuring the proven identity of the certificate owners. Depending on the trust level, the CAs may be satisfied with a valid e-mail address or a valid host name as proof of identity, or request more detailed information (see the section “Applying for and creating X.509 certificates”). A typical central CA is DigiCert.
You can view the content of a certificate using a browser or have it output using the SHOW.CERT procedure (see "SHOW.CERT procedure"). (The SHOW.CERT procedure calls the OpenSSL command program.)
The figure below shows a sample X.509 certificate.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,
OU=Certificate Authority, CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
Validity
Not Before: Dec 14 16:22:17 2015 GMT
Not After : Dec 14 16:22:17 2035 GMT
Subject: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,
OU=Certificate Authority, CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:f9:2f:58:46:09:09:d0:14:8d:79:8d:03:22:
ed:ae:4f:a6:94:6c:97:a8:af:49:7d:1c:26:e3:27:
27:9d:aa:d4:04:90:40:99:b7:24:c0:27:63:33:a9:
de:58:a0:41:99:8e:56:e9:79:9a:ea:f3:c9:98:5c:
76:4b:8b:78:f6:49:4c:e6:8d:25:25:cd:e5:04:84:
2b:fd:fb:d1:51:e1:f9:e9:1a:da:5d:74:93:3e:24:
13:e2:33:9d:52:10:05:bd:f0:b6:38:81:1f:6b:3a:
a5:d9:ae:80:b2:30:0a:bd:70:1c:ff:4c:25:0c:3a:
b9:43:82:2e:d0:28:7b:6f:4d:4a:8e:ac:48:c2:c5:
e6:a2:70:a5:04:04:94:6b:44:f7:bc:27:20:99:77:
94:2f:c1:98:4d:51:e2:16:fb:8f:c9:15:e2:4b:31:
9d:d0:ee:16:89:bb:8e:2d:ea:90:f6:56:c7:ae:fd:
07:13:a1:2a:3c:4e:a1:a8:f4:f7:91:f6:3e:6a:fe:
ae:22:65:a7:be:9f:3b:57:1c:3b:90:77:85:6b:6f:
25:94:58:22:12:89:b6:bd:e6:ce:89:92:41:bf:7f:
02:89:53:1c:87:81:44:33:f7:ae:85:9d:3c:df:fb:
99:43:81:e3:dc:76:84:f4:b1:0a:d2:6f:98:91:4c:
b4:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:ca@snakeoil.dom
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8a:e4:e9:27:ce:20:c7:76:9e:c1:76:c2:b0:83:74:4f:72:fd:
a8:ea:f7:f7:94:01:f3:86:ee:e4:99:ba:46:03:c2:62:bf:73:
7c:a3:7d:66:f7:d2:29:12:e3:f9:c4:88:04:47:bd:0b:e2:73:
0d:cd:ed:fb:48:61:37:4f:7b:85:16:45:ec:f5:49:cf:d1:17:
00:71:38:87:0e:10:24:b3:4f:ff:50:22:d9:67:25:17:5d:26:
3f:0a:c4:d1:9a:fe:e3:d7:4b:09:c0:93:de:31:32:09:14:57:
8d:9c:59:41:ab:05:08:6c:09:5b:c8:0f:5a:92:20:31:66:9c:
5f:b0:ab:ba:29:19:04:04:94:b8:55:b5:a0:f3:2f:09:b2:5d:
5e:47:da:da:c8:2d:38:57:48:27:a9:34:a9:dc:94:ed:c8:30:
74:e1:ad:86:6c:60:d0:a7:fa:ed:ba:e7:67:bd:ae:e7:5e:f5:
c2:50:d2:f1:93:00:53:51:ad:84:9e:7e:9d:c2:5a:b1:0a:2d:
13:a9:92:97:8c:69:3a:48:9b:76:1e:df:29:16:6a:b9:75:77:
91:57:4e:53:da:92:73:65:0c:95:65:01:eb:c6:1a:64:06:e0:
40:c5:63:6d:03:85:36:e3:d7:17:a2:c7:4b:cb:7b:23:72:a8:
4b:2a:bc:96
Sample X.509 certificate
Certificate Revocation List (CRL)
Systems which process certificates must be able to recognize when a certificate has been revoked. With X.509 certificate this status check is implemented with the aid of Certificate Revocation Lists (CRL). A CRL contains all the certificates issued by a particular Certificate Authority (CA) which are no longer valid. This enables certificates that were issued by a Certificate Authority to be declared invalid by publishing a CRL.