X.509 Certificate Structure
Examine the fields inside a digital certificate — subject, issuer, validity period, public key, and extensions — and understand what each means.
What Is an X.509 Certificate?
An X.509 certificate is a standardized digital document that binds a public key to an identity. The X.509 standard (defined in RFC 5280) specifies the format, fields, and extensions used in digital certificates worldwide. Every TLS/HTTPS certificate, S/MIME email certificate, code-signing certificate, and client authentication certificate follows the X.509 format. Understanding the structure of an X.509 certificate helps you read certificate information, diagnose certificate errors, and make informed decisions about certificate deployment and validation.
# View an X.509 certificate in human-readable form
openssl x509 -in certificate.pem -noout -text
# Or view a website's certificate directly
openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -textVersion, Serial Number, and Algorithm
The first fields in an X.509 certificate establish its basic identity. Version: X.509 v3 is the current standard (v3 added extensions). Serial Number: a unique integer assigned by the issuing CA that identifies this specific certificate — used in CRL (revocation lists) to revoke individual certificates. Signature Algorithm: specifies the algorithm used by the CA to sign the certificate (e.g., sha256WithRSAEncryption or ecdsa-with-SHA256). This field appears twice: once in the TBSCertificate and once in the outer signature wrapper — they must match.
# Certificate header fields
# Version: 3 (v3 = supports extensions)
# Serial Number:
# 30:4b:7e:bf:36:e3:46:a8
# Signature Algorithm: sha256WithRSAEncryption
# The serial number is used for revocation:
# CRL lists serial numbers of revoked certificates from this CA