Appendix A: The ITU-T X.509 Standard for Certificate and CRL Formats | Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

These tables list and explain the different fields that make up an X.509 certificate and CRL. More detailed information can be found in the ITU-TX.509 Recommendation (version 03/2000), which can be downloaded from the ITU Web site at www.itu.int.

Table A.1: X.509 Certificate Format
X.509 Field Name	Field Meaning	X.509 Version/Optional-Required/Criticality for Extensions
Version	X.509 version of the encoded certificate	V1 Required
SerialNumber	Unique serial number of the certificate. The serial number together with the issuer name identify a unique certificate.	V1 Required
Signature	Contains the algorithm identifier for the algorithm and hash function used by the CA when signing the certificate.	V1 Required
Issuer	Identifies the entity that has signed and issued the certificate.	V1 Required
Validity	Start and end date of the certificate or the time interval during which the CA warrants that it will maintain status information of the	V1 Required
Subject	Identifies the entity associated with the public key found in the subject public key field.	V1 Required
SubjectPublicKeyInfo	Carries public key being certified and identifies the algorithm of which the public key is an instance.	V1 Required
IssuerUniqueIdentifer	Used to uniquely identify an issuer in case of a name reuse.	V2 Optional
SubjectUniqueIdentifier	Used to uniquely identify a subject in case of a name reuse.	V2 Optional
Extensions	Allows addition of new fields to the certificate structure.	V3 Optional
AuthorityKeyIdentifier	Identifies public key to be used for certificate signature verification.	V3 Optional—always Noncritical
SubjectKeyIdentifier	Identifies public key being certified .	V3 Optional—always Noncritical
KeyUsage	Identifies purpose for which the certified public key is used.	V3 Optional—Critical or Non-critical
PrivateKeyUsagePeriod	Indicates period of use of private key corresponding to certified public key.	V3 Optional—always Noncritical
Certificate Policies	Identifies certificate policies, recognized by issuing CA, that apply to this certificate.	V3 Optional—Critical or Non-critical
PolicyMappings	For CA certificates only: Maps certificate policy defined in one domain to policy in another domain.	V3 Optional—always Noncritical
SubjectAltName	Alternative names for the certificate subject.	V3 Optional—Critical or Non-critical
IssuerAltName	Alternative names for the certificate issuer.	V3 Optional—Critical or Non-critical
SubjectDirectoryAttributes	Lists directory attributes for the certificate	V3 Optional—always Noncritical
BasicConstraints	“CA” field: Can public key listed in this certificate be used to verify other certificates? “PathLengthConstraint” field: Maximum number of certificates that can follow this certificate in certification path.	V3 Optional—Critical or Non-critical
NameConstraints	Indicates name space within which all subject names in subsequent certificates in a certification path shall be located.	V3 Optional—Critical or Non-critical
PolicyConstraints	Specifies constraints that may require explicit certificate policy identification or inhibit policy mapping for the remainder of the certification path.	V3 Optional—Critical or Non-critical
InhibitAnyPolicy	Specifies that any-policy is not considered an explicit match for other certificate policies.	V3 Optional—Critical or Non-critical
CRLDistributionPoints	Identifies CRL Distribution Point to which a certificate user should refer to ascertain if the certificate has been revoked.	V3 Optional—Critical or Non-critical
Signature	Digital signature on certificate content.	V1 Required

Table A.2: x.509 CRL Format
X.509 Field Name	Field Meaning	X.509 version/Optional-Required/Criticality for Extensions
Version	X.509 version of the encoded CRL.	Optional
Signature	Contains the algorithm identifier for the algorithm and hash function used by the CA when signing the CRL.	Required
Issuer	Identifies the entity that has signed and issued the CRL.	Required
ThisUpdate	Indicates the issue date of the CRL.	Required
NextUpdate	Indicates the date by which the next CRL will be issued.	Optional
RevokedCertificates	Lists the revoked certificates.	Optional
UserCertificate	Serial number of the revoked certificate.	Required
Revocationdate	Specifies date on which revocation occurred.	Required
CRLentryExtensions	Used to provide additional information on single CRL entries.	Optional—V2 only
ReasonCode	Identifies reason for certificate revocation	Optional—always Noncritical
HoldInstructionCode	Provides a registered instruction identifier indicating the action to be taken after encountering a certificate that has been placed on hold.	Optional—always Noncritical
Invaliditydate	Provides date on which it is suspected that the private key was compromised.	Optional—always Noncritical
CertificateIssuer	Allows a CRL to include entries from more than one certificate issuer.	Optional—always Critical
CrlExtensions	Used to provide additional information on the whole CRL.	Optional—V2 only
AuthorityKeyIdentifier	Provides a means to identify the public key that is needed to validate the CRL signature.	Optional—always Noncritical
IssuerAltName	Allows additional name forms to be associated with the CRL issuer.	Optional—Critical or Noncritical
CRLNumber	Increasing sequence number for each CRL issued by the CRL issuer.	Optional—always Noncritical
deltaCRLIndicator	Identifies a CRL as a delta CRL,	Optional—always Critical
IssuingDistributionPoint	Identifies the CRL distribution point for a CRL and indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limited set of reason codes.	Optional—always Critical
FreshestCRL	Identifies how to obtain delta CRL information for the base CRL containing the extension.	Optional—always Noncritical
SignatureValue	Digital signature on CRL content.	Required