Certificate Components

Last Updated : Sep 20, 2024 |

Certificates are made up of a number of fields. Depending on the type and usage, the fields can be mandatory or optional.

Components

Description

Version

Usually V3 – indicating X.509 v3 format

Serial Number

A unique number used to uniquely identify the certificate. There is no requirement that the number is actually serialized, just that it is unique.

Signature Algorithm

The cryptographic algorithm used to create the signature. For example sha256RSA.

Issuer

Details of the certificate authority (CA) that issued the certificate. This consists of a number of sub-fields:

  • C = Country.

  • ST = State.

  • L = Location.

  • O = Organization.

  • CN = Common Name. Also called the certificate 'Name'.

  • OU = Organization Unit.

  • E = Email.

Subject

Details of the device or server to which the certificate belongs. This consists of the same sub-fields as the Subject above.

Issued By

Matches the common name (CN) of the certificate Issuer.

Issued To

Matches the common name (CN) of the certificate Subject.

Valid From

The UTC date and time from which the certificate is valid. All clients and servers using certificates require an accurate time source to validate certificates.

Valid To

The UTC date and time at which the certificate expires.

  • Avoid using excessively long date ranges for certificates as that increases potential risks.

  • Some clients and services will refuse certificates that exceed a specific date range, even if the certificate is valid.

Subject Alternative Name(s)

The Subject Alternative Name(s) (SAN) lists alternative names linked with the device identified by the certificate. Certificate recipients can use these to verify the source of the certificate.

  • The SAN can contain multiple entries. You must separate each with a comma and no spaces.

  • Each entry is prefixed with an entry type indicator. For example:

    • DNS = A domain name or fully-qualified domain name.

    • IP: = An IP address. This can be an IPv4 or IPv6 address.

    • URI: = The address of a service provided by the device. For example; URI:SIP:example.com.

Enhanced Key Usage

This setting is frequently also called Extended Key Usage and EKU. It indicates the purposes for which the Public Key can be used. For example: Server Authentication and Client Authentication.

Basic Constraints

This part of a certificate can contain the certificates Subject Type and Path Length Constraint as below.

Subject Type

Indicates the type of the certificate. For example:

  • CA = CA Root certificate.

  • End Entity = Identity certificate.

Path Length Constraint

Sets the depth (number) of intermediate CA certificates allowed between a root certificate and end-entity certificate. For example:

  • 0 = No intermediate CA certificates. The root CA certificate can only issue end-entity certificates.

  • 1 = Allow only one intermediate CA certificate between the root CA certificate and end-entity certificate.

  • None = These is no restriction on the number of intermediate CA certificates.

Key Usage

The purposes for which you can use the certificate's public key, for example: certificate signing, encryption, authentication.

Subject Key Identifier

The certificate issuers digital signature, encrypted with their private key. This can be decrypted with the issuer's public key found in the issuer's certificate.

Public Key Algorithm

The public key type and size.

  • Keys less than 2048-bits are regard as insecure. They are not accepted by many devices and servers.

Public Key

The public key.

There are other fields that may be present, see RFC5280 for more information.

Related information
Certificates