Ask a Question

Advanced Search

Solution ID : SO4583

Last Modified : 05/02/2018

Structure of X509 Certificates


Structure of X509 Certificates

Subject. Provides the name of the computer, user, network device, or service that the CA issues the certificate to. The subject name is commonly represented by using an X.500 or Lightweight Directory Access Protocol (LDAP) format.

Serial Number. Provides a unique identifier for each certificate that a CA issues.

Issuer. Provides a distinguished name for the CA that issued the certificate. The issuer name is commonly represented by using an X.500 or LDAP format. For a root CA, the Issuer and Subject are identical. For all other CA certificates and for end entity certificates, the Subject and Issuer will be different.

Valid From. Provides the date and time when the certificate becomes valid.

Valid To. Provides the date and time when the certificate is no longer considered valid.

Note: The date when an application or service evaluates the certificate must fall between the Valid From and Valid To fields of the certificate for the certificate to be considered valid.


Public Key. Contains the public key of the key pair that is associated with the certificate.

In addition to the fields defined in X.509 version 1, X.509 version 3 certificates include optional fields or extensions that provide additional functionality and features to the certificate. These extensions are not necessarily included in each certificate that a CA issues:

Subject alternative name. A subject can be presented in many different formats. For example, if the certificate must include a user's account name in the format of an LDAP distinguished name, e-mail name, and a user principal name (UPN), you can include the e-mail name or UPN in a certificate by adding a subject alternative name extension that includes these additional name formats. Subject alternative name is only used in end entity certificates, not in CA certificates.

Basic constraints. This X509 version 3 extension is used to distinguish between end-entity certificates and CA certificates. There are still some PKI clients today that do not recognize basic constraints, which can make it possible for an end-entity to act as a CA. Windows Server 2003 and Windows 2000 operating systems honor basic constraints in accordance with Internet Engineering Task Force (IETF) Request for Comments (RFC) 2459 and will reject CA certificates that do not contain this extension.

Name constraints. This extension restricts the namespaces that are permitted or excluded by a qualified subordinate CA and its subordinates when issuing certificates.

Policies. Defines the list of acceptable issuance and application policies for certificate usage. These policies are identified in the certificate by object identifiers (also known as OIDs).

Policy mapping. Allows a policy from one domain to be mapped onto a policy of another domain.

Policy constraints. Restricts the subordination levels in a certificate hierarchy to which a policy is applied. These extensions are used in conjunction with issuance and application policies only.

Application policy. Defines which applications can be used in conjunction with certain certificates.

Application policymapping. Identifies equivalence between the application policies of two organizations that cross certify by using certificate application policies.

Cross certificate distribution points. Identifies where cross certificates related to a particular certificate can be obtained and how often the cross certificates at that location are updated.

CRL distribution points (CDP). Provides one or more URLs where the application or service can retrieve a certificate revocation list (CRL) from. Used when an application or service must determine whether a certificate has been revoked before its validity period has expired.

Authority Information Access (AIA). Provides one or more URLs from where an application or service can retrieve the issuing CA certificate. Used to validate the certificate of the CA that issued the certificate also referred to as the parent CA for revocation and validity.

Enhanced Key Usage (EKU). Defines which applications can be used in conjunction with certain certificates. Because some implementations of public key infrastructure (PKI) applications might not understand application policies, both application policies and enhanced key usage sections appear in certificates issued by a Microsoft CA.