What Is an X.509 Certificate?<\/h2>\n\n\n\n
An X.509 certificate allows websites, users, businesses and other organizations to prove their identities on the internet. In other words, they use an X.509 certificate like a passport to prove who they are. To put it in more technical terms, an X.509 certificate is a type of digital certificate that offers third-party authentication<\/a><\/em> to websites, users, businesses and other organizations across the internet. This is known as third-party authentication.<\/p>\n\n\n\n But if you have an X.509 certificate for your business, couldn\u2019t someone just steal the certificate and use it as a fake ID? Heh, not very easily. And that\u2019s thanks to something that\u2019s known as public key infrastructure<\/a>, or PKI for short.<\/p>\n\n\n\n X.509 certificates are an integral part of the international X.509 public key infrastructure (PKI) standards<\/a>. These standards were first released back in 1988 and have been updated every few years since. The most recent release of the X.509 PKI standards was in October 2019. So, \u00a0X.509 certificates are also known as public key certificates (or PKI certificates<\/a>) because they\u2019re created and managed according to these formatting standards.<\/p>\n\n\n\n The reason why someone can\u2019t just easily steal and use your certificate as their own is because an X.509 certificate ties information about you (your organization) to a cryptographic public key and by making that key available to third parties. A public key is part of an asymmetric key pair that consists of a public and private key.<\/p>\n\n\n\n An illustration of how public key encryption (asymmetric encryption) works using public-private key pairs.<\/p>\n\n\n\n X.509 certificate contains identifying information about your organization, your public key, and the digital signature of the entity that issued your certificate. More specifically, each certificate contains the following information as part of its X.509 certificate format:<\/p>\n\n\n\n Screenshot of the SSL\/TLS certificate that we use to secure SectigoStore.com.<\/p>\n\n\n\n Certificate authorities<\/a> (CAs) \u2014 originally called certification authorities \u2014 are the entities who are responsible for issuing X.509 digital certificates. They do this to ensure that each certificate they issue adheres to specific authentication standards and meets specific validation requirements.<\/p>\n\n\n\n Typically, when people talk about CAs, they\u2019re specifically referring to public certificate authorities. However, there are also private CAs, which can issue and self-sign certificates for use within their own organizations and intranets. (Self-signed certificates should never be used for public-facing applications.)<\/p>\n\n\n\n Sectigo is an example of such a publicly trusted certificate authority. Although there are a few hundred CAs in existence around the world, only a handful or so of them issue the majority of certificates used globally.<\/p>\n\n\n\n So, what is it exactly that CAs do? According to the X.509 standards that were published in 2016:<\/p>\n\n\n\n \u201cIn order for a relying party to be able to trust a public-key of another entity, for instance to authenticate the identity of that entity, the public key shall be obtained from a trusted source. Such a source, called a certification authority (CA), certifies a public key by issuing a public-key certificate which binds the public-key to the entity which holds the corresponding private key.\u201d<\/em><\/p><\/blockquote>\n\n\n\n OK, that was a bit dense. Let\u2019s unpack it\u2026<\/p>\n\n\n\n Before a certificate authority issues a public key certificate to anyone, they first validate that the requestor (your organization) is genuine. For example, if you\u2019re requesting an X.509 certificate for your company website, there are three ways they can do this:<\/p>\n\n\n\n Now, after validating the organization in question, the CA binds the verified identity to the organization\u2019s public keys. Think of this like the official seal on your passport. This helps to prove that your identity is genuine and verified.<\/p>\n\n\n\n So, what makes this public key so great? Basically, when a key is generated using secure cryptographic algorithms and appropriate entropy (randomness), these keys are essentially \u201cunforgeable.\u201d This means that they can\u2019t be altered or modified in any way without those changes being detected. <\/p>\n\n\n\n It may surprise you to know that there\u2019s actually more than just one type of X 509 certificate. There are many, and they\u2019re used for different purposes. To help you understand the differences between them, we\u2019ll go through each individual X.509 certificate example to breakdown what they are and why they\u2019re useful.<\/p>\n\n\n\n This is why there\u2019s \u201cHTTPS<\/a>\u201d in the URL instead of just \u201cHTTP.\u201d Basically, HTTPS = the secure hyper text transport protocol. HTTP = insecure hyper text transport protocol. A protocol is a set of rules that dictate how devices exchanges data across networks and the internet. There are a wide variety of different protocols that are useful for different applications.<\/p>\n\n\n\n Whenever an organization has a TLS certificate installed on its servers, it means that the data exchanges that take place on the site use the transport layer security (TLS) protocol. TLS certificates are also known as SSL certificates because website certificates previously used the secure sockets layer (SSL) protocol to exchange data. (SSL is now a deprecated protocol.) The TLS replaced SSL<\/a> as the go-to protocol for secure data transmissions.<\/p>\n\n\n\n So, why do people sometimes call them SSL certificates instead of TLS certificates? Frankly, it\u2019s because people are slow to change \u2014 particularly when it comes to the terms they use. So, you\u2019ll still often hear people calling them SSL certificates instead of TLS certificates.<\/p>\n\n\n\n No matter. Just know that we\u2019re talking about SSL\/TLS certificates, we\u2019re really talking about TLS certificates.<\/p>\n\n\n\n SSL\/TLS certificates are X.509 certificates that are typically categorized by 1) validation, and 2) functionalities. They can be issued with DV, OV or EV validation. There are several types of certificates that are available depending on the functions you need them to fill:<\/p>\n\n\n\n The next type of X.509 certificate we\u2019ll cover is known as a code signing certificate. These certificates serve as a way for software developers and publishers to assert their publisher identity. This helps to protect the integrity of the software and its code.<\/p>\n\n\n\n The way the certificate aids in the effort is by allowing the software creator to affix a digital signature to their code, script, or executable.<\/p>\n\n\n\n You know these types of warning screens that pop up from Microsoft Windows?<\/p>\n\n\n\n This warning message is a great way to drive away potential customers and users. A code signing certificate makes it so that your verified publisher information populates in the publisher field. This way, it doesn\u2019t just say \u201cUnknown\u201d or \u201cUnverified\u201d anymore.<\/p>\n\n\n\n These X.509 certificates, which are also known as S\/MIME certificates or personal authentication certificates (PACs), are a great way to securely send emails and to authenticate yourself to servers and other devices. They allow you to:<\/p>\n\n\n\n These certificates are also known as personal authentication certificates because they\u2019re useful for authenticating users (or, more specifically, the clients on their applicable devices) via two-way authentication. This type of authentication allows you to gain access to specific applications, sites, servers, or devices. <\/p>\n\n\n\n These X.509 digital certificates enable users to digitally sign the documents they create (Word docs, PDFs, etc.). What this does it allow the document creator to prove that they created the document and that it hasn\u2019t been altered or modified in any way. Basically, you\u2019re validating the document\u2019s integrity so that people know it\u2019s safe to use.<\/p>\n\n\n\n Public key infrastructure (PKI) is the foundation of global internet security as we know it today. The X.509 international standards is a document that defines the format, processes and entities that are involved with the creation, management, and revocation of public key digital certificates. It also covers asymmetric cryptographic techniques and how identities are paired with cryptographic key pairs.<\/p>\n\n\n\n Back in 1988, two international standards organizations set up committees to collaborate and create a set of standards for dealing with the technical aspects of public key certificates. This set of standards is known as the X.509 public key infrastructure standards<\/a>, and there have been multiple versions of these standards that have been released over the past three decades.<\/p>\n\n\n\n The two organizations that were involved in creating the standards are:<\/p>\n\n\n\nX.509 Certificates and PKI<\/h3>\n\n\n\n
![\"An](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/public-private-key-pair.png\")
<\/figure><\/div>\n\n\n\nA Quick Look at the X.509 Certificate Format<\/h3>\n\n\n\n
![\"Two](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/x-509-ssl-cert.png\")
<\/figure><\/div>\n\n\n\nWho Issues X.509 Certificates?<\/h2>\n\n\n\n
The Roles That CAs Play in X.509 Certificates<\/h3>\n\n\n\n
CAs Validate Organizational Identities to Ensure They\u2019re Legitimate<\/h4>\n\n\n\n
CAs Bind Unmodifiable Public Keys to Organizational Identities<\/h4>\n\n\n\n
What Are the 4 Types of X.509 Certificates?<\/h2>\n\n\n\n
1. TLS Certificates (SSL Certificates)<\/h3>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/x509-certificate-example-sectigostore-1024x495.png\")
<\/figure><\/div>\n\n\n\nLet\u2019s start off with the most popular and commonly used X.509 certificate. A TLS certificate, also known as a website security certificate, allows your browser to connect and securely exchange data with a website\u2019s server. See that padlock in your browser\u2019s web address bar? Yeah, that means your browser is sending and receiving data from our website\u2019s server via a secure, encrypted connection. This is known as data-in-transit encryption.<\/p>\n\n\n\n
SSL vs TLS Certificates<\/h4>\n\n\n\n
Types of SSL\/TLS Certificates<\/h4>\n\n\n\n
2. Code Signing Certificates<\/h3>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/UnknownPublisher.png\")
<\/figure><\/div>\n\n\n\n3. Email Signing Certificates<\/h3>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/digital-signature-email-group-example-1024x561.png\")
<\/figure><\/div>\n\n\n\n4. Document Signing Certificates<\/h3>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/09\/document-signing-screenshot-pdf.png\")
<\/figure><\/div>\n\n\n\nWhat Is the X.509 Public Key Infrastructure Set of Standards?<\/h2>\n\n\n\n