The current version of the specification is X.509v3, which is described in RFC 5280. An X.509v3 certificate includes the following components:

  • The X.509 encoding version, which makes it possible to differentiate between an X.509v3 certificate or one that conforms to an earlier or future version of the specification.
  • The certificate’s serial number, which is an integer value that uniquely identifies a certificate as issued by a certification authority. While they were often generated in sequential order in the past, they are now required to be unpredictable with at least 20 bits of entropy.
  • A subject DN, which is the distinguished name for the certificate that often provides information about the context in which the certificate is to be used. Certificate subject DNs are discussed in more detail later.
  • An issuer DN, which is the distinguished name for the issuer certificate (that is, the certificate used to sign the certificate). For a self-signed certificate, this matches the subject DN.
  • A validity window, which indicates the time frame that the certificate should be considered valid. This includes a “notBefore” element, which is the earliest time that the certificate should be considered valid, and a “notAfter” element, which is the latest time that the certificate should be considered valid.
  • A public key, which is the public portion of a pair of two cryptographically linked keys. Certificate key pairs are discussed in more detail later.
  • An optional subject unique ID, which is intended to uniquely identify the certificate. This has been deprecated in favor of the subject key identifier extension and is generally omitted from X.509v3 certificates.
  • An optional issuer unique ID, which is the subject unique ID of the issuer certificate (if it had one). This has been deprecated in favor of the authority key identifier extension.
  • An optional set of extensions that provide additional context for the certificate and how it can be used. Certificate extensions are discussed in more detail later.
  • A signature, which is a type of cryptographic proof that the certificate really did come from the issuer and has not been altered in any way. As its name implies, a self-signed certificate is signed with its own private key; otherwise, it is signed with the issuer’s private key.