RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
Publication Date: May 2008
Status: Standards Track Protocol
Authors: D. Cooper (NIST), S. Santesson (Microsoft), S. Farrell (Trinity College Dublin), S. Boeyen (Entrust), R. Housley (Vigil Security), W. Polk (NIST)
Obsoletes: RFC 3280, RFC 4325, RFC 4630
Abstract
This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices.
Table of Contents
Main Sections
- 1. Introduction
- 2. Requirements and Assumptions
- 2.1 Communication and Topology
- 2.2 Acceptability Criteria
- 2.3 User Expectations
- 2.4 Administrator Expectations
- 3. Overview of Approach
- 3.1 X.509 Version 3 Certificate
- 3.2 Certification Paths and Trust
- 3.3 Revocation
- 3.4 Operational Protocols
- 3.5 Management Protocols
- 4. Certificate and Certificate Extensions Profile
- 4.1 Basic Certificate Fields
- 4.2 Certificate Extensions
- 5. CRL and CRL Extensions Profile
- 5.1 CRL Fields
- 5.2 CRL Extensions
- 5.3 CRL Entry Extensions
- 6. Certification Path Validation
- 6.1 Basic Path Validation
- 6.2 Using the Path Validation Algorithm
- 6.3 CRL Validation
- 7. Processing Rules for Internationalized Names
- 7.1 Internationalized Names in Distinguished Names
- 7.2 Internationalized Domain Names in GeneralName
- 7.3 Internationalized Domain Names in Distinguished Names
- 7.4 Internationalized Resource Identifiers
- 7.5 Internationalized Electronic Mail Addresses
- 8. Security Considerations
- 9. IANA Considerations
- 10. Acknowledgments
- 11. References
- 11.1 Normative References
- 11.2 Informative References
Appendices
- Appendix A. Pseudo-ASN.1 Structures and OIDs
- A.1 Explicitly Tagged Module, 1988 Syntax
- A.2 Implicitly Tagged Module, 1988 Syntax
- Appendix B. ASN.1 Notes
- Appendix C. Examples
- C.1 RSA Self-Signed Certificate
- C.2 End Entity Certificate Using RSA
- C.3 End Entity Certificate Using DSA
- C.4 Certificate Revocation List
Related Resources
- Official Text: RFC 5280
- Official Page: RFC 5280 DataTracker
- Errata: RFC Editor Errata
- Updated by: RFC 6818, RFC 8398, RFC 8399
Key Concepts Overview
What is an X.509 Certificate?
An X.509 certificate is a digital document used to prove identity and establish secure communications on the Internet. It forms the foundation of technologies like HTTPS, TLS/SSL, code signing, and email encryption.
Core Functions:
- Identity Verification: Proves "who you are"
- Public Key Distribution: Securely distributes public keys
- Trust Chain: Establishes trust through Certificate Authorities (CAs)
Basic Certificate Structure
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
Key Fields:
- Version: Certificate version (v1, v2, v3)
- Serial Number: Unique identifier assigned by CA
- Signature Algorithm: Algorithm used to sign the certificate
- Issuer: DN of the entity that signed the certificate
- Validity: Time period during which the certificate is valid
- Subject: DN of the entity associated with the public key
- Subject Public Key Info: Public key and algorithm identifier
- Extensions: Additional information (v3 only)