In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates.
X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web.
They are also used in offline applications, like electronic signatures.
An early issue with Public Key Infrastructure (PKI) and X.509 certificates was the well known "which directory" problem.
The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized.
The problem was mitigated by including all intermediate certificates in a request.
For example, early web servers only sent the web server's certificate to the client.
Clients that lacked an intermediate CA certificate or where to find them failed to build a valid path from the CA to the server's certificate.
To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate.
An organization that wants a signed certificate requests one from a CA using a protocol like:
- Certificate Signing Request (CSR)
- Simple Certificate Enrollment Protocol (SCEP)
- Certificate Management Protocol (CMP).
en.wikipedia.org/wiki/X.509#Certificates
The organization first generates a key pair, keeping the private key secret and using it to sign the CSR.
The CSR contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that is unique for the person, organization or business.
The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority.
en.wikipedia.org/wiki/X.509#Certificates
The CSR will be validated using a Registration Authority (RA), and then the certification authority will issue a certificate binding a public key to a particular distinguished name.
The roles registration authority and certification authority are usually separate business units under separation of duties to reduce the risk of fraud.
en.wikipedia.org/wiki/X.509#Certificates
An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system.
en.wikipedia.org/wiki/X.509#Certificates
Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed, so SSL certificates from major certificate authorities will work instantly; in effect the browsers' developers determine which CAs are trusted third parties for the browsers' users.
en.wikipedia.org/wiki/X.509#Certificates
A certificate chain (see the equivalent concept of "certification path" defined by RFC 5280 section 3.2) is a list of certificates (usually starting with an end-entity certificate) followed by one or more CA certificates (usually the last one being a self-signed certificate), with the following properties:
- The Issuer of each certificate (except the last one) matches the Subject of the next certificate in the list
- Each certificate (except the last one) is signed by the secret key corresponding to the next certificate in the chain (i.e. the signature of one certificate can be verified using the public key contained in the following certificate)
- The last certificate in the list is a trust anchor: a certificate that you trust because it was delivered to you by some trustworthy procedure
en.wikipedia.org/wiki/X.509#Certificate_chains_and_cross-certification
Certificate chains are used in order to check that the public key contained in a target certificate (the first certificate in the chain) and other data contained in it effectively belongs to its subject.
In order to ascertain this, the signature on the target certificate is verified by using the public key contained in the following certificate, whose signature is verified using the next certificate, and so on until the last certificate in the chain is reached.
As the last certificate is a trust anchor, successfully reaching it will prove that the target certificate can be trusted.
en.wikipedia.org/wiki/X.509#Certificate_chains_and_cross-certification