What is an X.509 Certificate?

An X.509 certificate is something that can be used in software to both:

  1. Verify a person’s identity so you can be sure that the person really is who they say they are.
  2. Send the person who owns the certificate encrypted data that only they will be able to decrypt and read.

Identity Verification

So we’ve said that an X.509 certificate can be used to verify a person’s identity so you can trust that they really are who they say they are.

In this use case, you can think of an X.509 certificate as similar to a national passport. And as with national passports, you are very careful about who would ever have access to it – you would never give your passport away to anyone else.

X.509 certificates contains information about you and only you. And just as a national government acts as an authority for issuing and validating passports, something similar, called a Certificate Authority (CA), exists for X.509 certificates.

Certificate Authority (CA)

A Certificate Authority is a 3rd party trusted by both you and anyone who might verify your identity. That is, when you use your X.509 certificate with someone who needs to verify your identity, you both trust that a certain Certificate Authority has validated your identity. Because the 3rd party trusts that the CA verified you, they in turn trust that your X.509 certificate really represents you and only you.

There are well-known global and public Certificate Authorities, such as Verisign and Digicert. Many companies have their own private Certificate Authorities used to verify employee identities, for example.

Securing your data

In addition to verifying your identity, X.509 certificates can also be used to secure data intended for you so that prying eyes won’t be able to see it. It does this via a mathematical concept known as asymmetric key cryptography.

Asymmetric Key Cryptography

Asymmetric Key cryptography is also known as Public/Private Key cryptography for this reason: one of the two asymmetric keys can be freely given out to the world at large; anyone can see and use it, which is why it is called the ‘public’ key. The other of the two keys however must remain totally private to you, so no one will ever see it or be able to use it. This is naturally called the ‘private’ key because it should remain private always.

The reason Public/Private Key cryptography works is that data locked by the public key can only be unlocked by the private key and vice versa. If someone locks data with the public key, no one else who has the public key can unlock it – not even the person that originally locked it. Only the person with the private key can unlock the data. That is why the public key can be given to and seen by anyone. As long as the private key remains safe, you can rest assured the data is locked safely.

X.509 cryptography

An X.509 certificate is composed of two chunks of information:

  1. Your identifying information, such as your name and maybe address
  2. Your public key

As you can see, your public key is included in the X.509 certificate. This way, anyone who gets your certificate can both verify your identity (via a Certificate Authority) and encrypt data ‘for your eyes only’ with the included public key.

Create an X.509 Certificate

Here is the high level overview of how one would create a validated X.509 certificate:

  1. 使用 cryptographic 软件工具(OpenSSL, the Java keytool, etc),一个用户生成一个 public/private key pair,并且要保持私钥文件的保密。
  2. 使用用户选择的软件工具,和用户的 public key 和一个称为 ‘Distinguished Name’ 的 X.509 等级的名字标记捆绑在一起生成一个称为 certificate 的中间文件。这个 certificate 文件并不是一个有效的 X.509 certificate。
  3. 用户接下来会使用之前生成的 private key 加密这个中间 certificate 文件,然后产生一个新的文件,称为 ‘Certificate Signing Request’ or CSR。如果你查看这个文件的内容,你会看到 —–BEGIN CERTIFICATE REQUEST—–—–END CERTIFICATE REQUEST—– 包围着 Base 64-encoded blob。
  4. 用户下来会提交这个 CSR 文件到 Certificate Authority (Digicert, Verisign, etc),同时提交的还有他的 public key(这样的话 CA 就可以知道如何解密这个 CSR 文件)
  5. CA 使用用户提交的 public key 解密这个 CSR 文件,得到第 2 步得出的中间文件 certificate,中间文件里包含着用户的 Distinguished Name 和用户的 public key。
  6. CA 会核实这个用户的关联这个 CSR 文件中信息的 identity. CA 会要求一些传真身份验证文件:像身份证,驾照,护照之类的。
  7. 一旦 CA 完成里用户提交身份的验证,他们会把中间文件用 CA 自己的 private key 加密,这一步会生成一个新的文件。如果你查看这个文件的内容,你会看到 —–BEGIN CERTIFICATE—–—–END CERTIFICATE—– 包围着 Base 64-encoded blob。这个文件就是一个有效的 X.509 certificate。
  8. CA 会把这个新创建的 有效的 X.509 certificate 文件发给用户。
-->