Next: , Up: X.509 certificates   [Contents][Index]


4.1.1.1 X.509 certificate structure

An X.509 certificate usually contains information about the certificate holder, the signer, a unique serial number, expiration dates and some other fields [PKIX] as shown in Table 4.2.

FieldDescription
versionThe field that indicates the version of the certificate.
serialNumberThis field holds a unique serial number per certificate.
signatureThe issuing authority’s signature.
issuerHolds the issuer’s distinguished name.
validityThe activation and expiration dates.
subjectThe subject’s distinguished name of the certificate.
extensionsThe extensions are fields only present in version 3 certificates.

Table 4.2: X.509 certificate fields.

The certificate’s subject or issuer name is not just a single string. It is a Distinguished name and in the ASN.1 notation is a sequence of several object identifiers with their corresponding values. Some of available OIDs to be used in an X.509 distinguished name are defined in gnutls/x509.h.

The Version field in a certificate has values either 1 or 3 for version 3 certificates. Version 1 certificates do not support the extensions field so it is not possible to distinguish a CA from a person, thus their usage should be avoided.

The validity dates are there to indicate the date that the specific certificate was activated and the date the certificate’s key would be considered invalid.

In GnuTLS the X.509 certificate structures are handled using the gnutls_x509_crt_t type and the corresponding private keys with the gnutls_x509_privkey_t type. All the available functions for X.509 certificate handling have their prototypes in gnutls/x509.h. An example program to demonstrate the X.509 parsing capabilities can be found in ex-x509-info.


Next: , Up: X.509 certificates   [Contents][Index]