ITU-T recommendation X.509 defines a widely used format for digital
certificates.
An X.509 certificate contains
- Two distinguished names, which uniquely identify the Certificate
Authority (CA), that issued the certificate and the subject (the
individual or organization to whom the certificate was issued). The distinguished
names contain several optional components:
- Common name
- Organizational unit
- Organization
- Locality
- State or Province
- Country
- A digital signature. The signature is created by the certificate authority
using the public-key encryption technique:
- A secure hashing algorithm is used to create a digest of the certificate's
contents.
- The digest is encrypted with the certificate authority's private key.
- The signature is decrypted with the CA's public key.
- A new digest of the certificate's contents is made, and compared with
the decrypted signature. Any discrepancy indicates that the certificate may
have been altered. The digital signature thus assures the receiver that no
changes have been made to the certificate since it was issued.
- The subject's domain name. The receiver compares this with the actual
sender of the certificate.
- The subject's public key.