Questions tagged [x.509]

X.509 is a standard for a public key infrastructure used for authentication and access control. X.509 specifies standard formats for certificates, revocation lists, attribute certificates, and path validation.

In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes (RFC 4158).

From Wikipedia X.509

455 questions
30
votes
5 answers

What is the use of cross signing certificates in X.509?

In X.509 architecture what are the uses of cross signing certificates from other hierarchy? Does it just expand trust? So from the answer I am assuming that if CA3 is cross signed by CA2 (from another hierarchy) and CA1 (a parent in its own…
epsilon8
  • 425
  • 1
  • 4
  • 8
12
votes
1 answer

Why is the Signature Algorithm listed twice in an x509 Certificate?

Section 4.1 of RFC 5280 defines the contents of an x509 Certificate. Specifically, two fields are listed (signatureAlgorithm and signature) and defined to contain the same information: AlgorithmIdentifier: 4.1. Basic Certificate Fields The…
Eddie
  • 771
  • 1
  • 7
  • 23
10
votes
3 answers

Allowing the public to generate a CSR from your private key

As a hosting provider, I'd like to make the process of generating a certificate for a customer's domain as convenient as possible. I was pondering creating a webpage where anyone could: generate a CSR for a given hostname from our private key take…
MikeyB
  • 201
  • 1
  • 6
3
votes
3 answers

How to determine if an X.509 certificate is a renewal of another known certificate?

In my application, the human user accepts the server's X.509 certificate, verifying the fingerprint during the first-time connection. The fingerprint is stored in the client software. At later connections, only that particular certificate is…
3
votes
1 answer

using commonName for DNS vs subjAltName

According to https://stackoverflow.com/a/26195101/569976#comment41093099_26195101 "[Using the DNS name as the common name is] deprecated by both the IETF and CA/B Forums, and it should not be done. Instead, the DNS names should be placed in the…
neubert
  • 1,748
  • 4
  • 20
  • 41
3
votes
0 answers

Examples for use of encipheronly and decipheronly bits in the keyUsage field of a X.509 certificate

I am requesting for real life example of using the encipheronly or decipheronly bits together with the keyAgreement bit in the keyUsage field of a X.509 certificate. The RFC 5280 specifies about these bits as follows: "he meaning of the encipherOnly…
user917279
  • 463
  • 1
  • 4
  • 11
2
votes
2 answers

Is the private key the only entropy in a X509 certificate?

Specifically, if I preserve the private key can I reproduce the exact same (self-signed) certificate at any time? The use case I have is a server-to-server protocol that allows (even encourages) self-signed certificates; where I won't know my exact…
LateralFractal
  • 5,213
  • 19
  • 41
2
votes
1 answer

CSR's with null bytes in them

According to wikipedia.org's article on X.509 certificates, "There are implementation errors with X.509 that allow e.g. falsified subject names using null-terminated strings Marlinspike Blackhat 2009 or code injections attacks in certificates." My…
neubert
  • 1,748
  • 4
  • 20
  • 41
2
votes
1 answer

Is it possible to use X509 to verify other information, like a vacination?

Background: Germany has decided to implement the proof of vacination for Corona based on 5 Blockchains. It's supposed to be anonymus and safe and the verification could hapen with a QR-Code. My Idea: Use X509 (SSL) certificates to verify that…
Steven
  • 23
  • 2
2
votes
1 answer

X509 certification and communication

I am having trouble understanding the concept of X509 encryption and its application to web service communication. The situation is that I (client) would like to communicate with another party (server) securely. To do this, the client obtains an…
2
votes
2 answers

Is SubjectAlternativeName in X.509 always used for DNS Names?

X.509 certificates as of RFC5280 offer the two fields "Subject" and "Subject Alternative Name" that can be used to describe the Subject of the certificate (e.g. a Domain example.com). Section 4.2.1.6 of RFC5280 reads: The subject alternative name…
Niklas
  • 83
  • 1
  • 7
2
votes
1 answer

Role of X.509 in signature verification

My requirement is signing the message with private key on one side and verifying it on other side using public key. SHA256, rsa:2048 are the algorithms i need to use. May i know whether X.509 is needed for my requirement if yes what is its role…
Babu
  • 21
  • 1
2
votes
3 answers

Include multiple pub keys in a x509v3-cert

Is it possible to include multiple public keys and the issuer's public key in one x509v3-certificate?
K. Biermann
  • 394
  • 2
  • 11
1
vote
0 answers

Kohnfelder Certificate

The Kohnfelder certificate standard is very similar to that of X.509 certificate standard. Comparing the two standards, does one have an advantage edge over the other? or what are the pros and cons of both standards?
user44796
  • 11
  • 1
1
vote
0 answers

Real world X.509 v2 certificate examples?

Just out of curiosity, could you provide (old) real world X.509 v2 certificate examples that include the deprecated (in some version of X.509) and forbidden (in RFC 5280) issuerUniqueIdentifier or subjectUniqueIdentifier fields?. A bonus point would…
Jaime Hablutzel
  • 2,838
  • 3
  • 18
  • 18
1
2