- X.509 certificates are public-key certificates that are the foundation of the public key infrastructure (PKI), which underpins much of the world’s online architecture.
- Public key certificates allow two agnostic users to securely identify themselves to allow for the encryption, exchange, and decryption of data they share.
- X.509 certificates are a standard format established by the International Telecommunications Union, a branch of the UN. The certificate recommendation defines the framework for PKI and privilege management infrastructure (PMI) and establishes the protocols for asymmetric cryptographic techniques and how certificates are managed.
How do X.509 certificates work—and how do they enable trust?
As the basis for securing many online interactions, such as SSL certificates or transport layer security (TLS) certificates used between your browser and web servers, or PKI architecture used to keep networks of IoT devices safe from attack, the role of digitally signed X.509 certificates is to enable trusted exchanges. This is achieved by leveraging asymmetric cryptography, where a user has both a public and private key pair tied to their identity. This allows anyone else to decrypt data to send to the user using the public, which they can then decrypt with their private key.
To work securely, both parties in the exchange must trust each other’s identity. The X.509 certificate protocol is introduced as the certificate is the digital proof, signed by a trusted certificate authority (CA), that the user’s identity is valid. Technically it is possible for a user to self-sign their certificate rather than being issued it by a CA. However, most browsers and networks have deprecated the use of self-signed certificates due to their potential to be fraudulent.
The various security features that are part of the X.509 certificate standard make it easy for all parties to quickly ascertain the trustworthiness and unique identifiers of another party. However, the responsibility for maintaining this trust lies with CAs, who must monitor all issued certificates and uphold the protocols standards.
What are the features of X.509 certificates?
These digital certificates are made up of a number of features as designated by the standard’s protocol. These allow all parties to access the details of a user’s X.509 certificate. Even normal users on a web browser can do so by clicking the padlock next to a page’s URL in the address bar. These details include:
- Version: A number denoting which version of the certificate protocol is being used
- Serial number: A unique positive integer provided by the CA to identify the certificate
- Signature algorithm: Identifying which cryptographic form is used to sign the certificate (e.g., RSA, DSA, etc.)
- Issuer name: The name of the CA that has issued the certificate
- Validity period: When the certificate was issued and when it expires
- Subject name: Who the certificate was issued to
- Subject public key: The public cryptographic key of the subject
- Extensions: These outline the specific uses of the certificate
The role of X.509 certificate authorities
Web and PKI networks rely on the trust enabled by CAs after the protocols are accepted, and they can communicate securely with other parties. There are a number of standards and procedures which must be followed for a CA to gain and maintain the trust of network users. A hacked CA, such as the hack of Dutch CA DigiNotar, can cause chaos for networks with thousands or even millions of certificates being compromised. As a result, ensuring their own security is essential.
The first element of the CA’s role is the issuing of the original X.509 certificates. This is done through a certification path that chains together three types of certificates, which are:
- Root certificate: The root certificate, or CA certificate, is the primary certificate of trust used by the CA to sign all other certificates. The certificate trust chain must be the final certificate in the trust store (as the chain leads back to this).
- Intermediate certificate: These are X.509 certificates that the root CA signs for certificate providers so they can issue certificates. These intermediate certificate issuers are any party in between the beginning (root certificate) and end (end-entity) of a certificate chain.
- End-entity certificate: These are the X.509 certificates that assure the identity of a party, such as a website. Before accessing a website, a browser will check that this certificate’s chain leads back to a trusted CA. End-entity certificates are also known as leaf certificates, as nothing further can be grown from them.
The second element of the CA’s role is to manage all issued certificates and ensure trust by applying rules to remove non-conforming or compromised certificates. This leads to the creation of X.509 certificate revocation lists. Certificates that their CA has disavowed are added to public lists to warn others that a CA no longer backs this identity.
Trusted and scalable certificates for PKI
X.509 certificates follow an accepted protocol to enable trusted data exchanges between two parties underpinned by a certificate authority. Building an iPKI architecture to secure your IoT networks relies on secure identity provisioning for your devices using X.509 certificates.
Achieving a scalable PKI architecture that guarantees 24x7x365 service involves significant initial build costs and ongoing maintenance and operations costs. Intertrust’s PKI is 50%-85% less costly than creating the same system in-house and can scale virtually indefinitely as your business needs change.
- What are X.509 certificates and how are they used?
Ans: X.509 certificates assign identities to public keys via digital signatures. These digital certificates are the foundation of PKI and are used to manage identity and security in networking and internet communications for authentication and encryption purposes. PKI and X.509 certificates enable Transport Layer Security (TLS), Secure Sockets Layer (SSL), and S/MIME protocols; they are also used in code signing, client certificates, and electronic IDs issued by government agencies.
- What is X.509 certificate revocation?
Ans: Traditionally, a certificate revocation list (CRL) is maintained by the issuing certificate authority (CA) to indicate a certificate’s expiration. This expiration date signals when a certificate can no longer be trusted and the privileges of that certificate are revoked. The CA maintains a list of revoked certificates known as the X.509 Certificate Revocation. Increasingly, the revocation status of digital certificates are maintained through internet protocols, such as the Online Certificate Status Protocol (OCSP).
- How do X.509 certificates work?
Ans: In internet communications, a client checks the certificate for issues before attempting to establish a connection with a server. Once authenticity is verified, the browser uses the public key in the X.509 certificate to encrypt data and establish a secure connection with the server.