[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
4.2.1 X.509 certificate structure
An X.509 certificate usually contains information about the certificate holder, the signer, a unique serial number, expiration dates and some other fields [PKIX] as shown in Table 4.1.
Field | Description |
---|---|
version | The field that indicates the version of the certificate. |
serialNumber | This field holds a unique serial number per certificate. |
signature | The issuing authority’s signature. |
issuer | Holds the issuer’s distinguished name. |
validity | The activation and expiration dates. |
subject | The subject’s distinguished name of the certificate. |
extensions | The extensions are fields only present in version 3 certificates. |
Table 4.1: X.509 certificate fields.
The certificate’s subject or issuer name is not just a single string. It is a Distinguished name and in the ASN.1 notation is a sequence of several object identifiers with their corresponding values. Some of available OIDs to be used in an X.509 distinguished name are defined in ‘gnutls/x509.h’.
The Version field in a certificate has values either 1 or 3 for version 3 certificates. Version 1 certificates do not support the extensions field so it is not possible to distinguish a CA from a person, thus their usage should be avoided.
The validity dates are there to indicate the date that the specific certificate was activated and the date the certificate’s key would be considered invalid.
Certificate extensions are there to include information about the certificate’s subject that did not fit in the typical certificate fields. Those may be e-mail addresses, flags that indicate whether the belongs to a CA etc. All the supported X.509 version 3 extensions are shown in Table 4.2.
Extension | OID | Description |
---|---|---|
Subject key id | 2.5.29.14 | An identifier of the key of the subject. |
Authority key id | 2.5.29.35 | An identifier of the authority’s key used to sign the certificate. |
Subject alternative name | 2.5.29.17 | Alternative names to subject’s distinguished name. |
Key usage | 2.5.29.15 | Constraints the key’s usage of the certificate. |
Extended key usage | 2.5.29.37 | Constraints the purpose of the certificate. |
Basic constraints | 2.5.29.19 | Indicates whether this is a CA certificate or not, and specify the maximum path lengths of certificate chains. |
CRL distribution points | 2.5.29.31 | This extension is set by the CA, in order to inform about the issued CRLs. |
Proxy Certification Information | 1.3.6.1.5.5.7.1.14 | Proxy Certificates includes this extension that contains the OID of the proxy policy language used, and can specify limits on the maximum lengths of proxy chains. Proxy Certificates are specified in [RFC3820]. |
Table 4.2: X.509 certificate extensions.
In GnuTLS the X.509 certificate structures are
handled using the gnutls_x509_crt_t
type and the corresponding
private keys with the gnutls_x509_privkey_t
type. All the
available functions for X.509 certificate handling have
their prototypes in ‘gnutls/x509.h’. An example program to
demonstrate the X.509 parsing capabilities can be found at
ex:x509-info.
[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on January 4, 2012 using texi2html 5.0.