Page created: 15 Nov 2019 |
Page updated: 25 Mar 2020
PingDirectory Server supports X.509 certificates, the type that you are most likely to encounter. RFC 5280 describes X.509v3, which provides the current version of the specification.
An X.509v3 certificate includes the following components:
- X.509 encoding version – Enables the differentiation between an X.509v3 certificate and one that conforms to an earlier or future version of the specification.
- Serial number of the certificate – Integer value that uniquely identifies a certificate as issued by a certification authority. Although serial numbers were frequently generated in sequential order in the past, they are now required to be unpredictable with at least 20 bits of entropy.
- Subject DN – Distinguished name for the certificate, which often provides details about the context in which the certificate is to be used. For more information, see XREF to Certificate subject DNs.
- Issuer DN – Distinguished name for the issuer certificate, which is the certificate used to sign the certificate. For a self-signed certificate, this value matches the subject DN.
Validity window – Indicates the timeframe during which the certificate is considered valid. This component includes the following elements:
- notBefore – Specifies the earliest time at which the certificate is considered valid.
- notAfter – Specifies the latest time at which the certificate is considered valid.
- Public key – Public portion of a pair of cryptographically linked keys. For more information, see XREF to Certificate key pairs.
- Signature – Type of cryptographic proof that the certificate truly was sent from the issuer and has remained unaltered. As its name implies, a self-signed certificate is signed with its own private key. Otherwise, it is signed with the issuer;s private key.
An X.509v3 certificate might also include the following optional components:
- Subject unique ID – Uniquely identifies the certificate. Because this component has been deprecated in favor of the subject key identifier extension, it is generally omitted from X.509v3 certificates.
- Issuer unique ID – Subject unique ID of the issuer certificate, if available. This component has been deprecated in favor of the authority key identifier extension.
- Set of extensions – Provides additional context for the certificate and the manner in which it is used. For more information, see XREF to Certificate extensions.