--- title: X.509 certificates description: The server supports X.509 certificates, the most common type of certificates. RFC 5280 describes X.509v3, which provides the current version of the specification. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_servers_and_certificates:pd_ds_x509_certificates canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_servers_and_certificates/pd_ds_x509_certificates.html revdate: August 14, 2024 --- # X.509 certificates The server supports X.509 certificates, the most common type of certificates. [RFC 5280](https://www.ietf.org/rfc/rfc5280.txt) describes X.509v3, which provides the current version of the specification. An X.509v3 certificate includes the following components: * X.509 encoding version Enables the differentiation between an X.509v3 certificate and one that conforms to an earlier or later version of the specification. * Serial number of the certificate Integer value that uniquely identifies a certificate as issued by a certification authority. * Subject DN Distinguished name for the certificate, which often provides details about the context in which the certificate is to be used. For more information, see [Certificate subject DNs](pd_ds_certificate_subject_dns.html). * Issuer DN Distinguished name for the issuer certificate, which is the certificate used to sign the certificate. For a self-signed certificate, this value matches the subject DN. * Validity window Indicates the timeframe during which the certificate is considered valid. This component includes the following elements: * `notBefore` Specifies the earliest time at which the certificate is considered valid. * `notAfter` Specifies the latest time at which the certificate is considered valid. * Public key Public portion of a pair of cryptographically linked keys. For more information, see [Certificate key pairs](pd_ds_certificate_key_pairs.html). * Signature A type of cryptographic proof that the certificate truly was sent from the issuer and has remained unaltered. A self-signed certificate is signed with its own private key. Otherwise, it is signed with the issuer's private key. An X.509v3 certificate might also include the following optional components: * Subject unique ID Uniquely identifies the certificate. This component has been deprecated in favor of the subject key identifier extension, so it is generally omitted from X.509v3 certificates. * Issuer unique ID Subject unique ID of the issuer certificate, if available. This component has been deprecated in favor of the authority key identifier extension. * Set of extensions Provides additional context for the certificate and the manner in which it is used. For more information, see [Certificate extensions](pd_ds_certificate_extensions.html).