An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Standard information in an X.509 certificate includes:

  • Version – which X.509 version applies to the certificate (which indicates what data the certificate must include)
  • Serial number – the identity creating the certificate must assign it a serial number that distinguishes it from other certificates
  • Algorithm information – the algorithm used by the issuer to sign the certificate
  • Issuer distinguished name – the name of the entity issuing the certificate (usually acertificate authority)
  • Validity period of the certificate – start/end date and time
  • Subject distinguished name – the name of the identity the certificate is issued to
  • Subject public key information – the public key associated with the identity
  • Extensions (optional)

Many of the certificates that people refer to as Secure Sockets Layer (SSL) certificates are in fact X.509 certificates.

The first X.509 certificates were issued in 1988 as part of the International Telecommunications Union’s Telecommunication Standardization Sector (ITU-T) and theX.500 Directory Services Standard. In 1993, version 2 added two fields to support directory access control. Version 3 was released in 1996 and defines the formatting used for certificate extensions.