X.509#End-entity certificate

X.509 was initially issued on July 3, 1988, and was begun in association with the X.500 standard. The first tasks of it was providing users with secure access to information resources and avoiding a cryptographic man-in-the-middle attack. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates.

Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes.{{Ref RFC|4158}} It can be used in a peer-to-peer, OpenPGP-like web of trust,{{citation needed|date=March 2011}} but was rarely used that way {{as of|2004|lc=y}}. The X.500 system has only been implemented by sovereign nations{{Which|date=April 2020}} for state identity information sharing treaty fulfillment purposes, and the IETF's Public-Key Infrastructure (X.509) (PKIX) working group has adapted the standard to the more flexible organization of the Internet. In fact, the term X.509 certificate usually refers to the IETF's PKIX certificate and CRL profile of the X.509 v3 certificate standard, as specified in {{IETF RFC|5280}}, commonly called PKIX for Public Key Infrastructure (X.509).{{Ref RFC|5280|quote=Following is a simplified view of the architectural model assumed by the Public-Key Infrastructure using X.509 (PKIX) specifications.}}

An early issue with Public Key Infrastructure (PKI) and X.509 certificates was the well known "which directory" problem. The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized. The problem was mitigated by including all intermediate certificates in a request. For example, early web servers only sent the web server's certificate to the client. Clients that lacked an intermediate CA certificate or where to find them failed to build a valid path from the CA to the server's certificate. To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate.{{cite web |title=Engineering Security |url=https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf |first=Peter |last=Gutmann |author-link=Peter Gutmann (computer scientist) |date=April 2014}}

While PKIX refers to the IETF's or Internet's PKI standard, there are many other PKIs with different policies. For example, the US Government has its own PKI with its own policies, and the CA/Browser Forum has its own PKI with its own policies. The US Government's PKI is a massive book of over 2500 pages. If an organization's PKI diverges too much from that of the IETF or CA/Browser Forum, then the organization risks losing interoperability with common tools like web browsers, cURL, and Wget. For example, if a PKI has a policy of only issuing certificates on Monday, then common tools like cURL and Wget will not enforce the policy and allow a certificate issued on a Tuesday.

{{Infobox file format

|name = X.509 certificate

|mime = application/pkix-cert{{Ref RFC|2585|section=4: MIME registrations |pages=4–5 }}

|uniform type = public.x509-certificate{{cite web |url=https://developer.apple.com/documentation/uniformtypeidentifiers/uttype/3551600-x509certificate |title=x509Certificate |work=Apple Developer Documentation: Uniform Type Identifiers |publisher=Apple Inc}}

}}

X.509 certificates bind an identity to a public key using a digital signature. In the X.509 system, there are two types of certificates. The first is a CA certificate. The second is an end-entity certificate. A CA certificate can issue other certificates. The top level, self-signed CA certificate is sometimes called the Root CA certificate. Other CA certificates are called intermediate CA or subordinate CA certificates. An end-entity certificate identifies the user, like a person, organization or business. An end-entity certificate cannot issue other certificates. An end-entity certificate is sometimes called a leaf certificate since no other certificates can be issued below it.

An organization that wants a signed certificate requests one from a CA using a protocol like Certificate Signing Request (CSR), Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol (CMP). The organization first generates a key pair, keeping the private key secret and using it to sign the CSR. The CSR contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that is unique for the person, organization or business. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.

The CSR will be validated using a Registration Authority (RA), and then the certification authority will issue a certificate binding a public key to a particular distinguished name. The roles registration authority and certification authority are usually separate business units under separation of duties to reduce the risk of fraud.

An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed, so SSL certificates from major certificate authorities will work instantly; in effect the browsers' developers determine which CAs are trusted third parties for the browsers' users. For example, Firefox provides a CSV and/or HTML file containing a list of Included CAs.{{Cite web|url=https://wiki.mozilla.org/CA:IncludedCAs|title=CA:IncludedCAs|work=Mozilla Wiki|access-date=17 January 2017}}

X.509 and {{IETF RFC|5280}} also include standards for certificate revocation list (CRL) implementations. Another IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Firefox 3.0 enabled OCSP checking by default, as did versions of Windows from at least Vista and later.{{cite web |url=https://bugzilla.mozilla.org/show_bug.cgi?id=110161 | title=Bug 110161 - (ocspdefault) enable OCSP by default |access-date=17 March 2016|publisher=Mozilla}}

The structure foreseen by the standards is expressed in a formal language, Abstract Syntax Notation One (ASN.1).

The structure of an X.509 v3 digital certificate is as follows:

• Certificate
• Version Number
• Serial Number
• Signature Algorithm ID
• Issuer Name
• Validity period
• Not Before
• Not After
• Subject name
• Subject Public Key Info
• Public Key Algorithm
• Subject Public Key
• Issuer Unique Identifier (optional)
• Subject Unique Identifier (optional)
• Extensions (optional)
• ...
• Certificate Signature Algorithm
• Certificate Signature

The Extensions field, if present, is a sequence of one or more certificate extensions.{{Ref RFC|5280|rsection=4.1.2.9: Extensions}} Each extension has its own unique ID, expressed as object identifier (OID), which is a set of values, together with either a critical or non-critical indication. A certificate-using system must reject the certificate if it encounters a critical extension that it does not recognize, or a critical extension that contains information that it cannot process. A non-critical extension may be ignored if it is not recognized, but must be processed if it is recognized.{{Ref RFC|5280|rsection=4.2: Certificate Extensions}}

The structure of version 1 is given in {{IETF RFC|1422}}.

The inner format of issuer and subject unique identifiers specified in [https://www.itu.int/rec/T-REC-X.520 X.520 The Directory: Selected attribute types] recommendation.

ITU-T introduced issuer and subject unique identifiers in version 2 to permit the reuse of issuer or subject name after some time. An example of reuse will be when a CA goes bankrupt and its name is deleted from the country's public list. After some time another CA with the same name may register itself, even though it is unrelated to the first one. However, IETF recommends that no issuer and subject names be reused. Therefore, version 2 is not widely deployed in the Internet.{{citation needed|date=January 2012}}

Extensions were introduced in version 3. A CA can use extensions to issue a certificate only for a specific purpose (e.g. only for signing digital objects).

In all versions, the serial number must be unique for each certificate issued by a specific CA (as mentioned in {{IETF RFC|5280}}).

{{IETF RFC|5280}} (and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used. Most of them are arcs from the joint-iso-ccitt(2) ds(5) id-ce(29) OID. Some of the most common, defined in section 4.2.1, are:

• Basic Constraints, { id-ce 19 },{{Ref RFC|5280|rsection=4.2.1.9}} are used to indicate whether the certificate is a CA certificate and can certify or issue other certificates. A constraint can be marked as critical. If a constraint is marked critical, then an agent must fail to process the certificate if the agent does not understand the constraint. An agent can continue to process a non-critical constraint it does not understand.
• Key Usage, { id-ce 15 },{{Ref RFC|5280|rsection=4.2.1.3}} provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signatures but not for encipherment.
• Extended Key Usage, { id-ce 37 },{{Ref RFC|5280|rsection=4.2.1.12}} is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate. It contains a list of OIDs, each of which indicates an allowed use. For example, { id-pkix 3 1 } indicates that the key may be used on the server end of a TLS or SSL connection; { id-pkix 3 4 } indicates that the key may be used to secure email.

In general when using {{IETF RFC| 5280}}, if a certificate has several extensions restricting its use, all restrictions must be satisfied for a given use to be appropriate. The RFC gives the specific example of a certificate containing both keyUsage and extendedKeyUsage: in this case, both must be processed and the certificate can only be used if both extensions are coherent in specifying the usage of a certificate. For example, NSS uses both extensions to specify certificate usage.{{cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note3|title=All About Certificate Extensions|date=9 May 2002|publisher=Mozilla|access-date=10 September 2020|author=Nelson B Boyard|archive-date=15 December 2018|archive-url=https://web.archive.org/web/20181215123125/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note3|url-status=dead}}

Certification authorities operating under the CA/Browser Forum's PKI issue certificates with varying levels of validation. The different validations provide different levels of assurances that a certificate represents what it is supposed to. For example, a web server can be validated at the lowest level of assurances using an email called Domain Validation (DV). Or a web server can be validated at a higher level of assurances using more detailed methods called Extended Validation (EV).

In practice, a DV certificate means a certificate was issued for a domain like example.com after someone responded to an email sent to webmaster@example.com. An EV certificate means a certificate was issued for a domain like example.com, and a company like Example, LLC is the owner of the domain, and the owner was verified by Articles of Incorporation.

Extended validation does not add any additional security controls, so the secure channel setup using an EV certificate is not "stronger" than a channel setup using a different level of validation like DV.

Extended validation is signaled in a certificate using X.509 v3 extension. Each CA uses a different Object Identifier (OID) to assert extended validation. There is no single OID to indicate extended validation, which complicates user agent programming. Each user agent must have a list of OIDs that indicate extended validation.

The CA/Browser Forum's PKI recognizes extended validation and many browsers provide visual feedback to the user to indicate a site provides an EV certificate. Other PKIs, like the Internet's PKI (PKIX), do not place any special emphasis on extended validation. Tools using PKIX policies, like cURL and Wget, simply treat an EV certificate like any other certificate.

Security expert Peter Gutmann states CA's created EV certificates to restore profit levels after the Race to the Bottom cut into profits. During the race to the bottom CA's cut prices to lure consumers to purchase their certificates. As a result, profits were reduced and CA's dropped the level of validation they were performing to the point there were nearly no assurances on a certificate.

There are several commonly used filename extensions for X.509 certificates. Some of these extensions are also used for other data such as private keys.

• .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between {{code|-----BEGIN CERTIFICATE-----}} and {{code|-----END CERTIFICATE-----}}
• .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
• .p8, .p8e, .pk8 – exported private key as specified in PKCS#8. May be in DER or PEM form that starts with {{code|-----BEGIN PRIVATE KEY-----}}. The encrypted key starts with {{code|-----BEGIN ENCRYPTED PRIVATE KEY-----}} and may have the .p8e extension.
• .p10, .csr – PKCS#10 a certificate signing request (CSR). In PEM form starts with {{code|-----BEGIN CERTIFICATE REQUEST-----}}. These are generated for submission to certificate-authorities (CA). It includes key details of the requested certificate such as Common Name (/CN), subject, organization, state, country, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats but usually in .p7r.{{cite web |author=sysadmin1138 |title=What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? |url=https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file |website=Server Fault |access-date=19 October 2023 |language=en |date=May 19, 2009}} {{Creative Commons text attribution notice|cc=bysa2.5|from this source=yes}}

• .p7r – PKCS#7 response to CSR. Contains the newly-signed certificate, and the CA's own cert.
• .p7s – PKCS#7 Digital Signature. May contain the original signed file or message. Used in S/MIME for email signing. Defined in RFC 2311.
• .p7m – PKCS#7 (SignedData, EnvelopedData) Message e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311.
• .p7c – PKCS#7 degenerated SignedData "certs-only" structure, without any data to sign. Defined in RFC 2311.
• .p7b, .keystore – PKCS#7 SignedData structure without data, just certificate(s) bundle and/or CRLs (rarely) but not a private key. Uses DER form or BER or PEM that starts with {{code|-----BEGIN PKCS7-----}}. The format used by Windows for certificate interchange. Supported by Java but often has .keystore as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
• .p12, .pfx, .pkcs12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected) in a single file. .pfx – Personal Information eXchange PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g. with PFX files generated in IIS).
• .crl – A Certificate Revocation List (CRL). Certificate Authorities produce these as a way to de-authorize certificates before expiration.

PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure.

A certificate chain (see the equivalent concept of "certification path" defined by {{IETF RFC|5280}} section 3.2) is a list of certificates (usually starting with an end-entity certificate) followed by one or more CA certificates (usually the last one being a self-signed certificate), with the following properties:

1. The Issuer of each certificate (except the last one) matches the Subject of the next certificate in the list
2. Each certificate (except the last one) is signed by the secret key corresponding to the next certificate in the chain (i.e. the signature of one certificate can be verified using the public key contained in the following certificate)
3. The last certificate in the list is a trust anchor: a certificate that you trust because it was delivered to you by some trustworthy procedure

Certificate chains are used in order to check that the public key (PK) contained in a target certificate (the first certificate in the chain) and other data contained in it effectively belongs to its subject. In order to ascertain this, the signature on the target certificate is verified by using the PK contained in the following certificate, whose signature is verified using the next certificate, and so on until the last certificate in the chain is reached. As the last certificate is a trust anchor, successfully reaching it will prove that the target certificate can be trusted.

The description in the preceding paragraph is a simplified view on the certification path validation process as defined by {{IETF RFC|5280}} section 6, which involves additional checks, such as verifying validity dates on certificates, looking up CRLs, etc.

File:Cross-certification diagram.svg

File:CA certificate renewal.png

Examining how certificate chains are built and validated, it is important to note that a concrete certificate can be part of very different certificate chains (all of them valid). This is because several CA certificates can be generated for the same subject and public key, but be signed with different private keys (from different CAs or different private keys from the same CA). So, although a single X.509 certificate can have only one issuer and one CA signature, it can be validly linked to more than one certificate, building completely different certificate chains. This is crucial for cross-certification between PKIs and other applications.

{{cite book

|title=Understanding Certification Path Construction

|date=September 2002

|publisher=PKI Forum

|last=Lloyd

|first=Steve

|url=http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf

}}

See the following examples:

In these diagrams:

• Each box represents a certificate, with its Subject in bold
• A → B means "A is signed by B" (or, more precisely, "A is signed by the secret key corresponding to the public key contained in B").
• Certificates with the same color (that are not white/transparent) contain the same public key

In order to manage that user certificates existing in PKI 2 (like "User 2") are trusted by PKI 1, CA1 generates a certificate (cert2.1) containing the public key of CA2.

{{cite book

|title=Qualified Subordination Deployment Scenarios

|date=August 2009

|publisher=Microsoft

|section=Cross-Certification Between Root CAs

|url=https://technet.microsoft.com/en-us/library/cc785267(v=ws.10).aspx

}}

Now both "cert2 and cert2.1 (in green) have the same subject and public key, so there are two valid chains for cert2.2 (User 2): "cert2.2 → cert2" and "cert2.2 → cert2.1 → cert1".

Similarly, CA2 can generate a certificate (cert1.1) containing the public key of CA1 so that user certificates existing in PKI 1 (like "User 1") are trusted by PKI 2.

{{cite book

|title=Understanding Certification Path Construction

|date=September 2002

|publisher=PKI Forum

|url=http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf

|quote=To allow for graceful transition from the old signing key pair to the new signing key pair, the CA should issue a certificate that contains the old public key signed by the new private signing key and a certificate that contains the new public key signed by the old private signing key. Both of these certificates are self-issued, but neither is self-signed. Note that these are in addition to the two self-signed certificates (one old, one new).

}}

Since both cert1 and cert3 contain the same public key (the old one), there are two valid certificate chains for cert5: "cert5 → cert1" and "cert5 → cert3 → cert2", and analogously for cert6. This allows that old user certificates (such as cert5) and new certificates (such as cert6) can be trusted indifferently by a party having either the new root CA certificate or the old one as trust anchor during the transition to the new CA keys.

{{cite book

|title=PKI: Implementing and Managing E-Security

|year=2001

|publisher=RSA Press - Osborne/McGraw-Hill

|last1=Nash

|last2=Duane

|last3=Joseph

|last4=Brink

|isbn=0-07-213123-3

|section=Key and Certificate Life Cycles. CA Certificate Renewal

}}

This is an example of a decoded X.509 certificate that was used in the past by wikipedia.org and several other Wikipedia websites. It was issued by GlobalSign, as stated in the Issuer field. Its Subject field describes Wikipedia as an organization, and its Subject Alternative Name (SAN) field for DNS describes the hostnames for which it could be used. The Subject Public Key Info field contains an ECDSA public key, while the signature at the bottom was generated by GlobalSign's RSA private key. (The signatures in these examples are truncated.)

To validate this end-entity certificate, one needs an intermediate certificate that matches its Issuer and Authority Key Identifier:

In a TLS connection, a properly-configured server would provide the intermediate as part of the handshake. However, it's also possible to retrieve the intermediate certificate by fetching the "CA Issuers" URL from the end-entity certificate.

This is an example of an intermediate certificate belonging to a certificate authority. This certificate signed the end-entity certificate above, and was signed by the root certificate below. Note that the subject field of this intermediate certificate matches the issuer field of the end-entity certificate that it signed. Also, the "subject key identifier" field in the intermediate matches the "authority key identifier" field in the end-entity certificate.

This is an example of a self-signed root certificate representing a certificate authority. Its issuer and subject fields are the same, and its signature can be validated with its own public key. Validation of the trust chain has to end here. If the validating program has this root certificate in its trust store, the end-entity certificate can be considered trusted for use in a TLS connection. Otherwise, the end-entity certificate is considered untrusted.

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

04:00:00:00:00:01:15:4b:5a:c3:94

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

Validity

Not Before: Sep 1 12:00:00 1998 GMT

Not After : Jan 28 12:00:00 2028 GMT

Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:

...

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Subject Key Identifier:

60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B

Signature Algorithm: sha1WithRSAEncryption

d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:

...

There are a number of publications about PKI problems by Bruce Schneier, Peter Gutmann and other security experts.{{cite web

| url = https://www.schneier.com/paper-pki.pdf

| title = Top 10 PKI risks

| author = Carl Ellison and Bruce Schneier

| publisher = Computer Security Journal (Volume XVI, Number 1, 2000)

| access-date = 2014-04-02

| archive-date = 2015-11-24

| archive-url = https://web.archive.org/web/20151124191828/https://www.schneier.com/paper-pki.pdf

| url-status = dead

}}

{{cite web

| url = http://www.cs.auckland.ac.nz/~pgut001/pubs/notdead.pdf

| title = PKI: it's not dead, just resting

| author = Peter Gutmann

| author-link = Peter Gutmann (computer scientist)

| publisher = IEEE Computer (Volume:35, Issue: 8)

}}

{{cite web

|last=Gutmann

|first=Peter

|author-link = Peter Gutmann (computer scientist)

|title=Everything you Never Wanted to Know about PKI but were Forced to Find Out

|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf|access-date=14 November 2011

}}

• Use of blocklisting invalid certificates (using CRLs and OCSP),
• If the client only trusts certificates when CRLs are available, then they lose the offline capability that makes PKI attractive. So most clients do trust certificates when CRLs are not available, but in that case an attacker that controls the communication channel can disable the CRLs. Adam Langley of Google has said soft-fail CRL checks are like a safety belt that works except when you have an accident.{{cite web|last1=Langley|first1=Adam|title=Revocation checking and Chrome's CRL|date= 5 February 2012|url=https://www.imperialviolet.org/2012/02/05/crlsets.html|publisher=Imperial Violet|access-date=2 February 2017}}
• CRLs are notably a poor choice because of large sizes and convoluted distribution patterns,
• Ambiguous OCSP semantics and lack of historical revocation status,
• Revocation of root certificates is not addressed,
• Aggregation problem: Identity claims (authenticate with an identifier), attribute claims (submit a bag of vetted attributes), and policy claims are combined in a single container. This raises privacy, policy mapping, and maintenance issues.{{clarify|date=March 2018}}
• Delegation problem: CAs cannot technically restrict subordinate CAs from issuing certificates outside a limited namespaces or attribute set; this feature of X.509 is not in use. Therefore, a large number of CAs exist on the Internet, and classifying them and their policies is an insurmountable task. Delegation of authority within an organization cannot be handled at all, as in common business practice.{{Cite web|date=2014-01-27|title=Security Systems Business Plan Sample [2021]|url=https://www.ogscapital.com/article/securing-the-business-plan-for-the-security-systems-business/|access-date=2021-06-30|website=OGScapital}}{{Failed verification|date=January 2024|reason=commercial link largely, if not entirely unrelated to the topic}}
• Federation problem: Certificate chains that are the result of subordinate CAs, bridge CAs, and cross-signing make validation complex and expensive in terms of processing time. Path validation semantics may be ambiguous. The hierarchy with a third-party trusted party is the only model. This is inconvenient when a bilateral trust relationship is already in place.
• Issuance of an Extended Validation (EV) certificate for a hostname doesn't prevent issuance of a lower-validation certificate valid for the same hostname, which means that the higher validation level of EV doesn't protect against man-in-the-middle attacks.{{cite web|url=https://www.blackhat.com/presentations/bh-usa-09/SOTIROV/BHUSA09-Sotirov-AttackExtSSL-PAPER.pdf|title=Sub-Prime PKI: Attacking Extended Validation SSL|publisher=Blackhat|date=July 2009|author1=Michael Zusman|author2=Alexander Sotirov|access-date=10 September 2020}}

• The person or organization that purchases a certificate will often utilize the least expensive certification authority. In response, CA's have cut prices and removed more expensive validation checks in what is known as a Race to the Bottom. The Race to the Bottom is partly addressed by Extended Validation (EV) certificates, yet trust value in the eyes of security experts are diminishing.{{cite web|last1=Hunt|first1=Troy|title=Extended Validation Certificates are Dead|url=https://www.troyhunt.com/extended-validation-certificates-are-dead/|work=TroyHunt.com|date=17 September 2018 |access-date=26 February 2019|ref=troyhuntevcertsdead}} According to Peter Gutmann, EV certificates do not add any additional security controls. Rather, EV certificates merely restore CA profits to levels prior to the Race to the Bottom by allowing a CA to charge more for a service they should have been providing all along. The Race to the Bottom is also partly addressed by certificate authorities like Let's Encrypt that provide certificates free of charge.{{cite web | title=Let's Encrypt | website=

Let's Encrypt

| date=2023-07-10 | url=https://letsencrypt.org/ | ref={{sfnref|

Let's Encrypt

|2023}} | access-date=2025-04-08}} Let's Encrypt has also become the largest provider of certificates with over 500 million websites using it.{{Cite web |date=2020-11-17 |title=For A Better Internet - ISRG 2020 Annual Report |url=https://www.abetterinternet.org/documents/2020-ISRG-Annual-Report.pdf |access-date=2021-05-11 |website=Internet Security Research Group}}{{cite web | title=Let's Encrypt Stats | website=Let's Encrypt | date=2023-07-10 | url=https://letsencrypt.org/stats/ | access-date=2025-04-08}}

• Certification authorities attempt to deny almost all warranties to the user and relying parties in their Certification Practice Statement (CPS). For example, Apple Inc states in their CPS, "To the extent permitted by applicable law, Subscriber agreements, if applicable, disclaim warranties from Apple, including any warranty of merchantability or fitness for a particular purpose".{{cite web |title=Certification Authority — Certification Practice Statement |url=https://www.apple.com/certificateauthority/pdf/Apple_AAI_CPS_v6.1.pdf |publisher=Apple, Inc |version=Version 6.1 |date=August 19, 2016}}
• According to Peter Gutmann, "Users use an undefined certification request protocol to obtain a certificate which is published in an unclear location in a nonexistent directory with no real means to revoke it"
• Like all businesses, CAs are subject to the legal jurisdictions they operate within, and may be legally compelled to compromise the interests of their customers and their users. Intelligence agencies have also made use of false certificates issued through extralegal compromise of CAs, such as DigiNotar, to carry out man-in-the-middle attacks.{{citation needed|date=May 2014}} Another example is a revocation request of the CA of the Dutch government, because of a Dutch law passed in 2018, giving new powers for the Dutch intelligence and security services{{cite web|last1=van Pelt|first1=Cris|title=Logius: Dutch Government CA trust issue|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1408647|work=Bugzilla|access-date=31 October 2017|ref=vanPelt}}

Implementations suffer from design flaws, bugs, different interpretations of standards and lack of interoperability of different standards. Some problems are:

• Many implementations turn off revocation check:
• Seen as obstacle, policies are not enforced
• If it was turned on in all browsers by default, including code signing, it would probably crash the infrastructure
• DNs are complex and little understood (lack of canonicalization, internationalization problems)
• rfc822Name has two notations
• Name and policy constraints hardly supported
• Key usage ignored, first certificate in a list being used
• Enforcement of custom OIDs is difficult
• Attributes should not be made critical because it makes clients crash
• Unspecified length of attributes lead to product-specific limits
• There are implementation errors with X.509 that allow e.g. falsified subject names using null-terminated strings{{cite web|url=https://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf|title=More Tricks for Defeating SSL in Practice|author=Moxie Marlinspike|publisher=Blackhat|date=2009|department=Institute For Disruptive Studies|access-date=10 September 2020}} or code injection attacks in certificates
• By using illegalRec. ITU-T X.690, clause 8.19.2 0x80 padded subidentifiers of object identifiers, wrong implementations or by using integer overflows of the client's browsers, an attacker can include an unknown attribute in the CSR, which the CA will sign, which the client wrongly interprets as "CN" (OID=2.5.4.3). Dan Kaminsky demonstrated this at the 26th Chaos Communication Congress "Black OPs of PKI"{{cite web|url=https://events.ccc.de/congress/2009/Fahrplan/events/3658.en.html|title=26C3: Black Ops Of PKI|date=29 December 2009|publisher=Der Chaos Computer Club|work=CCC Events Blog|access-date=29 September 2013|author=Dan Kaminsky}}

Digital signature systems depend on secure cryptographic hash functions to work. When a public key infrastructure allows the use of a hash function that is no longer secure, an attacker can exploit weaknesses in the hash function to forge certificates. Specifically, if an attacker is able to produce a hash collision, they can convince a CA to sign a certificate with innocuous contents, where the hash of those contents is identical to the hash of another, malicious set of certificate contents, created by the attacker with values of their choosing. The attacker can then append the CA-provided signature to their malicious certificate contents, resulting in a malicious certificate that appears to be signed by the CA. Because the malicious certificate contents are chosen solely by the attacker, they can have different validity dates or hostnames than the innocuous certificate. The malicious certificate can even contain a "CA: true" field making it able to issue further trusted certificates.

• MD2-based certificates were used for a long time and were vulnerable to preimage attacks. Since the root certificate already had a self-signature, attackers could use this signature and use it for an intermediate certificate.
• In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys", achieved using a collision attack on the MD5 hash function.{{cite tech report |first1=Arjen |last1=Lenstra |first2=Benne |last2=de Weger |title=On the possibility of constructing meaningful hash collisions for public keys |url=http://www.win.tue.nl/~bdeweger/CollidingCertificates/ddl-full.pdf |access-date=28 September 2013|date=19 May 2005 |archive-url=https://web.archive.org/web/20130514200135/http://www.win.tue.nl/~bdeweger/CollidingCertificates/ddl-full.pdf |archive-date=14 May 2013|url-status=live |publisher=Lucent Technologies, Bell Laboratories & Technische Universiteit Eindhoven}}
• In 2008, Alexander Sotirov and Marc Stevens presented at the Chaos Communication Congress a practical attack that allowed them to create a rogue Certificate Authority, accepted by all common browsers, by exploiting the fact that RapidSSL was still issuing X.509 certificates based on MD5.{{cite web|url=http://www.win.tue.nl/hashclash/rogue-ca/ |title=MD5 considered harmful today |publisher=Eindhoven University of Technology |date=16 June 2011 |access-date=29 September 2013}}
• In April 2009 at the Eurocrypt Conference,{{cite web|url=https://www.iacr.org/conferences/eurocrypt2009/|title=Eurocrypt 2009|publisher=International Association for Cryptologic Research}} Australian Researchers of Macquarie University presented "Automatic Differential Path Searching for SHA-1".{{cite web|url=http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf|title=SHA-1 collisions now|author1=Cameron McDonald|author2=Philip Hawkes|author3=Josef Pieprzyk|date=2009|publisher=Macquarie University and Qualcomm|access-date=10 September 2020}} The researchers were able to deduce a method which increases the likelihood of a collision by several orders of magnitude.{{cite web|title=SHA-1 Collision Attacks Now 252 |url=https://www.secureworks.com/blog/research-20935|publisher=SecureWorks Insights|access-date=24 February 2016|author=Dennis Dwyer|date=2 June 2009}}
• In February 2017, a group of researchers led by Marc Stevens produced a SHA-1 collision, demonstrating SHA-1's weakness.{{Cite web|url=https://shattered.io/static/shattered.pdf|title=The first collision for full SHA-1|author1=Marc Stevens|author2=Elie Bursztein|author3=Pierre Karpman|author4=Ange Albertini|author5=Yarik Markov|publisher=CWI Amsterdam & Google Research|access-date=10 September 2020|via=Shattered}}

Exploiting a hash collision to forge X.509 signatures requires that the attacker be able to predict the data that the certificate authority will sign. This can be somewhat mitigated by the CA generating a random component in the certificates it signs, typically the serial number. The CA/Browser Forum has required serial number entropy in its Baseline Requirements Section 7.1 since 2011.{{Cite news|url=https://cabforum.org/baseline-requirements-documents/|title=Baseline Requirements Documents|work=CA Browser Forum|access-date=19 March 2017}}

{{As of|2016|01|01|df=US}}, the Baseline Requirements forbid issuance of certificates using SHA-1. {{As of|2017|alt=As of early 2017}}, Chrome{{cite news|url=https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html|title=SHA-1 Certificates in Chrome|date=16 November 2016|work=Google Online Security Blog|access-date=19 March 2017|author=Andrew Whalley}} and Firefox{{Cite web|url=https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/|title=The end of SHA-1 on the Public Web|work=Mozilla Security Blog|date=23 February 2017 |access-date=19 March 2017}} reject certificates that use SHA-1. {{As of|2017|05|df=US}} both Edge{{Cite web|url=https://technet.microsoft.com/en-us/library/security/4010323.aspx|title=Microsoft Security Advisory 4010323|work=Technet|publisher=Microsoft|access-date=16 May 2017}} and Safari{{Cite news|url=https://support.apple.com/en-us/HT207459|title=Safari and WebKit do not support SHA-1 certificates|date=16 August 2018|work=Apple Support|access-date=10 September 2020}} are also rejecting SHA-1 certificate. OpenSSL began rejecting SHA-1 certificates by default in version 3.0, released September 2021.{{Cite web |title=openssl/NEWS.md at master · openssl/openssl |url=https://github.com/openssl/openssl/blob/master/NEWS.md#major-changes-between-openssl-111-and-openssl-300-7-sep-2021 |access-date=2025-02-16 |website=GitHub |language=en}}

• PKCS7 (Cryptographic Message Syntax Standard — public keys with proof of identity for signed and/or encrypted message for PKI){{Ref RFC|2315}}
• Transport Layer Security (TLS) and its predecessor SSL — cryptographic protocols for Internet secure communications.{{Ref RFC|5246}}
• Online Certificate Status Protocol (OCSP){{Ref RFC|6960}} / certificate revocation list (CRL){{Ref RFC|5280}} — this is to check certificate revocation status
• PKCS12 (Personal Information Exchange Syntax Standard) — used to store a private key with the appropriate public key certificate{{cite web|url=https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm|publisher=RSA Laboratories|title=PKCS 12: Personal Information Exchange Syntax Standard|work=EMC.com|access-date=19 March 2017|archive-date=6 July 2017|archive-url=https://web.archive.org/web/20170706095929/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm|url-status=dead}}
• {{IETF RFC|4158}} — Certification Path Building — guidance and recommendations for building X.509 public-key certification paths within applications (i.e., validating an end-entity certificate using a CA certificate)

In 1995, the Internet Engineering Task Force in conjunction with the National Institute of Standards and Technology{{cite web|url=https://datatracker.ietf.org/wg/pkix/charter/|title=Public-Key Infrastructure (X.509) (pkix) - Charter|publisher=Internet Engineering Task Force|access-date=1 October 2013|work=IETF Datatracker}} formed the Public-Key Infrastructure (X.509) working group. The working group, concluded in June 2014,{{Cite web|url=https://tools.ietf.org/wg/pkix/|title=Pkix Status Pages|work=IETF Tools|access-date=10 March 2017}} is commonly referred to as "PKIX." It produced RFCs and other standards documentation on using and deploying X.509 in practice. In particular it produced {{IETF RFC|3280}} and its successor RFC 5280, which define how to use X.509 in Internet protocols.

TLS/SSL and HTTPS use the {{IETF RFC|5280}} profile of X.509, as do S/MIME (Secure Multipurpose Internet Mail Extensions) and the EAP-TLS method for WiFi authentication. Any protocol that uses TLS, such as SMTP, POP, IMAP, LDAP, XMPP, and many more, inherently uses X.509.

IPsec can use the {{IETF RFC|4945}} profile for authenticating peers.

The [https://apps.cablelabs.com/specification/opencable-security-specification OpenCable security specification] defines its own profile of X.509 for use in the cable industry.

Devices like smart cards and TPMs often carry certificates to identify themselves or their owners. These certificates are in X.509 form.

The WS-Security standard defines authentication either through TLS or through its own certificate profile.{{Cite web|url=https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-x509TokenProfile-v1.1.1-os.html|title=Web Services Security X.509 Token Profile Version 1.1.1|publisher=Oasis|access-date=14 March 2017}} Both methods use X.509.

The Microsoft Authenticode code signing system uses X.509 to identify authors of computer programs. Secure Boot feature of UEFI uses X.509 to authenticate UEFI drivers or bootloaders during booting and disallow blocklisted drivers or bootloaders (by using Forbidden Key Exchange or dbx database).{{Cite web |last=Smith |first=Roderick W. |date=2012-11-04 |title=Managing EFI Boot Loaders for Linux: Controlling Secure Boot (Managing Keys from Linux) |url=https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#linux |access-date=2025-02-20 |website=Roderick W. Smith's Web Page}}

The OPC UA industrial automation communication standard uses X.509.

SSH generally uses a Trust On First Use security model and doesn't have need for certificates. However, the popular OpenSSH implementation does support a CA-signed identity model based on its own non-X.509 certificate format.{{Cite web|url=https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu|title=How To Create an SSH CA to Validate Hosts and Clients with Ubuntu|publisher=DigitalOcean|access-date=19 March 2017}}

• Abstract Syntax Notation One
• Certificate policy
• Code Access Security
• Communications security
• Information security
• ISO/IEC JTC 1
• PKI Resource Query Protocol
• Public-key cryptography
• Public Key Infrastructure
• Time stamp protocol
• Trusted timestamping
• EdDSA

{{Reflist|30em}}

• [https://www.itu.int/rec/T-REC-X.509/en ITU-T's X.509 standards]
• Peter Gutmann's articles:
• [https://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf Overview of PKI]
• [https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt X.509 implementation notes and style guide]
• {{cite web|url=http://www.rsasecurity.com/rsalabs/node.asp?id=2155|title=Crypto FAQ from RSA Labs|archive-url=https://web.archive.org/web/20061230232250/http://www.rsasecurity.com/rsalabs/node.asp?id=2155|archive-date=30 December 2006|url-status=dead|publisher=RSA Laboratories}}
• [http://java.sun.com/security/seccodeguide.html Secure code guidelines] Sun
• {{IETF RFC|4158|link=no}} - Internet X.509 Public Key Infrastructure: Certification Path Building
• {{IETF RFC|5280|link=no}} - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• [https://technet.microsoft.com/en-us/library/bb123848(v=exchg.65).aspx Understanding Digital Certificates] Microsoft TechNet

Category:Cryptographic protocols

Category:Public-key cryptography

Category:ITU-T recommendations

Category:ITU-T X Series Recommendations

Category:X.500