X.509 certificates are public-key certificates that are the foundation of the public key infrastructure (PKI), which underpins much of the world’s online architecture. In general, public key certificates allow two agnostic users to securely identify themselves to allow for the encryption, exchange, and decryption of data they share.
The X.509 certificate itself is a standard format established by the International Telecommunications Union, a branch of the UN. The X.509 certificate recommendation defines the framework for PKI and privilege management infrastructure (PMI) and establishes the protocols for asymmetric cryptographic techniques and how certificates are managed.
How do X.509 certificates enable trust?
As the basis for securing many online interactions, such as SSL certificates or transport layer security (TLS) certificates used between your browser and web servers, or iPKI architecture used to keep networks of IoT devices safe from attack, the role of digitally signed X.509 certificates is to enable trusted exchanges. This is achieved by leveraging asymmetric cryptography, where a user has both a public and private key pair tied to their identity. This allows anyone else to decrypt data to send to the user using the public, which they can then decrypt with their private key.
To work securely, both parties in the exchange must trust each other’s identity. The X.509 certificate protocol is introduced as the certificate is the digital proof, signed by a trusted certificate authority (CA), that the user’s identity is valid. Technically it is possible for a user to self-sign their certificate rather than being issued it by a CA. However, most browsers and networks have deprecated the use of self-signed X.509 certificates due to their potential to be fraudulent.
The various security features that are part of the X.509 certificate standard make it easy for all parties to quickly ascertain the trustworthiness and unique identifiers of another party. However, the responsibility for maintaining this trust lies with CAs, who must monitor all issued certificates and uphold the protocols standards.
What are the features of X.509 certificates?
X.509 certificates are made up of a number of features as designated by the standard’s protocol. These allow all parties to access the details of a user’s X.509 certificate. Even normal users on a web browser can do so by clicking the padlock next to a page’s URL in the address bar. These details include:
- Version: A number denoting which version of the X.509 certificate protocol is being used
- Serial number: A unique positive integer provided by the CA to identify the X.509 certificate
- Signature algorithm: Identifying which cryptographic form is used to sign the certificate (e.g., RSA, DSA, etc.)
- Issuer name: The name of the CA that has issued the X.509 certificate
- Validity period: When the X.509 certificate was issued and when it expires
- Subject name: Who the certificate was issued to
- Subject public key: The public cryptographic key of the subject
- Extensions: These outline the specific uses of the X.509 certificate
The role of X.509 certificate authorities
Web and iPKI networks rely on the trust enabled by CAs after the protocols are accepted, and they can communicate securely with other parties. There are a number of standards and procedures which must be followed for a CA to gain and maintain the trust of network users. A hacked CA, such as the hack of Dutch CA DigiNotar, can cause chaos for networks with thousands or even millions of X.509 certificates being compromised. As a result, ensuring their own security is essential.
The first element of the CA’s role is the issuing of the original X.509 certificates. This is done through a certification path that chains together three types of certificates, which are:
- Root certificate: The root certificate, or CA certificate, is the primary certificate of trust used by the CA to sign all other certificates. The X.509 certificate trust chain must be the final certificate in the trust store (as the chain leads back to this).
- Intermediate certificate: These are X.509 certificates that the root CA signs for certificate providers so they can issue certificates. These intermediate certificate issuers are any party in between the beginning (root certificate) and end (end-entity) of a certificate chain.
- End-entity certificate: These are the X.509 certificates that assure the identity of a party, such as a website. Before accessing a website, a browser will check that this certificate’s chain leads back to a trusted CA. End-entity certificates are also known as leaf certificates, as nothing further can be grown from them.
The second element of the CA’s role is to manage all issued certificates and ensure trust by applying rules to remove non-conforming or compromised certificates. This leads to the creation of X.509 certificate revocation lists. Certificates that their CA has disavowed are added to public lists to warn others that a CA no longer backs this identity.
Trusted and scalable X.509 certificates for iPKI
X.509 certificates follow an accepted protocol to enable trusted data exchanges between two parties underpinned by a certificate authority. Building an iPKI architecture to secure your IoT networks relies on secure identity provisioning for your devices using X.509 certificates.
Achieving a scalable iPKI architecture that guarantees 24x7x365 service involves significant initial build costs and ongoing maintenance and operations costs. Intertrust’s PKI is 50%-85% less costly than creating the same system in-house and can scale virtually indefinitely as your business needs change.