X.509 证书定义

概念

• 证书撤销列表 certificate revocation list (CRL)
• 证书颁发机构 certification authority (CA)
• 注册机构 registration authority (RA)
• 公用密钥基础设施 Public Key Infrastructure (PKI)

编码

• DER X.509依赖于的唯一编码规则（distinguished encoding rules,DER）是BER的子集
• PEM 基于DER编码后内容使用BASE64编码且带头带尾的特定格式

证书相关文件后缀

• PEM
• CER
• CRT

证书字段

 Certificate  ::=  SEQUENCE  {
        tbsCertificate       TBSCertificate,
        signatureAlgorithm   AlgorithmIdentifier,
        signatureValue       BIT STRING  }

TBSCertificate

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version MUST be v3
     }

Version

Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

CertificateSerialNumber

CertificateSerialNumber  ::=  INTEGER

AlgorithmIdentifier

AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }

Name

 Name ::= CHOICE { -- only one possibility for now --
     rdnSequence  RDNSequence }

   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

   RelativeDistinguishedName ::=
     SET SIZE (1..MAX) OF AttributeTypeAndValue

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY -- DEFINED BY AttributeType

   DirectoryString ::= CHOICE {
         teletexString           TeletexString (SIZE (1..MAX)),
         printableString         PrintableString (SIZE (1..MAX)),
         universalString         UniversalString (SIZE (1..MAX)),
         utf8String              UTF8String (SIZE (1..MAX)),
         bmpString               BMPString (SIZE (1..MAX)) }

Validity

Validity ::= SEQUENCE {
     notBefore      Time,
     notAfter       Time 
    
    }

Time

Time ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime }

UniqueIdentifier

UniqueIdentifier  ::=  BIT STRING

SubjectPublicKeyInfo

SubjectPublicKeyInfo  ::=  SEQUENCE  {
     algorithm            AlgorithmIdentifier,
     subjectPublicKey     BIT STRING  }

Extensions

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

Extension

Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID
     }

参考资料

https://datatracker.ietf.org/doc/html/rfc5280#ref-X.690 https://www.cnblogs.com/NathanYang/p/9951282.html https://www.cnblogs.com/20175211lyz/p/12722360.html