What is an x.509 certificate?

A public key certificate, usually just called a digital certificate or certs is a digitally signed document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets.

A public key certificate, or more commonly referred to as digital certificate or certs, is a digitally signed document that is commonly used for authentication and to exchange information securely on open networks, such as internet, extranets, and intranets. An X.509 certificate includes the public key as well as information about the person or entity to whom the certificate is issued to, information about the certification authority issuing the certificate, and information about the certificate.

A public key certificate, or more commonly referred to as digital certificate or certs, is a digitally signed document that is commonly used for authentication and to exchange information securely on open networks, such as internet, extranets, and intranets. A certificate binds a public key to the entity that holds the corresponding private key securely. Certificates must be digitally signed by the issuing Certificate Authority (CA) and can be issued for a service, a computer, or a user. This creates a trusting relationship between two unknown entities for the ultimate protection. The following companies that are trusted certificate authorities are GeoTrust, VeriSign, and Thawte.

Certificates can be issued for a variety of function such as Web server authentication, secure email (Secure/Multipurpose Internet Mail Extensions, or S/MIME), and Internet Protocol security (IPSec), Transport Layer Security (TLS), and code signing. For Example, when using the Internet for online banking, it is important to know that your web browser is communicating directly and securely with your bank’s web server. Your web browser must be able to achieve web server authentication before a safe transaction can occur. Microsoft Internet Explorer uses Secure Socket Layer (SSL) to encrypt messages and transmit them securely across the internet, as so most other modern Web browsers and Web servers. The process of Encryption allows for vital information to be coded and then decoded upon arrival to its destination to ensure maximum protection.

Formats for X.509 Certificates:
  • DER Encoded Binary X.509 (.cer)
  • Base64 Encoded X.509 (.cer)

  • PKCS#7 / Cryptographic Message Syntax Standard (.p7b)

  • PKCS#12 / Personal Information Exchange (.pfx)

  • DER Encoded Binary X.509
DER (Distinguished Encoding Rules) for ASN. 1, as defined in ITU-T Recommendation X.509, is a more restrictive encoding standard than the alternative BER (Basic Encoding Rules) for ASN. 1, as defined in ITU-T Recommendation X.509, upon which DER is based. A platform-independent method for encoding objects such as certificates and messages for transmission between devices and applications is provided by both BER and DER. Most applications use DER during certificate encoding due to a portion of the certificate must be DER-encoded to be signed. Certification authorities may use this format if they are not on Windows2000 servers, to ensure it is supported for interoperability. DER certificate files use the .cer extension.

Base64 Encoded X.509 This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extension (S/MIME) which is a popular, standard method for transferring binary attachments over the internet. Corruption is made less likely as data is being transmitted through the internet through Base64. It encodes files into ASCII text format while S/MIME provides some cryptographic security services for electronic messaging applications, including non-repudiation of origin using digital signatures, privacy and data security using encryption, authentication, and message integrity. The MIME (Multipurpose Internet Mail Extension) specification (RFC 1341 and successors) defines a mechanism for encoding arbitrary binary information for transmission by electronic mail. Due to the fact that all MIME-compliant clients can decode Base64 files, certification authorities may use this format if they are not on a Windows2000 server, to ensure it is supported for interoperability.

Cryptographic Message Syntax Standard (PKCS#7) The PKCS#7 format allows for functionality and ease when it comes to transferring certificates. This format enables the transfer of a certificate and all the certificates in its certification path from one computer to another or from a computer to a removable media. PKCS#7 files typically use the .p7b extension and are compatible with the ITU-TX.509 standard. Attributes such as signing time can be authenticated along with message content.