X.509 Certificate
An X.509 certificate is a standardized digital document that says three things: here is a public key, here is who it belongs to, and here is a trusted authority’s signature proving that association is real. It also says when it expires. When your browser connects to a website over HTTPS, the server presents its X.509 certificate. Your browser checks that a CA it trusts signed it, that the domain name matches, and that the certificate has not expired. If all three pass, you get the padlock. The same mechanism works for SSH with hardware tokens, VPN certificates, and email signing.
X.509 is an ITU-T standard (part of X.500 directory services) that defines the structure of public key certificates. Version 3 is universally used today.
Certificate structure (TBSCertificate):
| Field | Description | Example |
|---|---|---|
| Version | Certificate version (v3 = 2) | 2 |
| Serial Number | Unique number from issuing CA | 0x3a5f… |
| Signature Algorithm | Algorithm CA used to sign | ecdsa-with-SHA256 |
| Issuer | Distinguished Name of CA | CN=HomeLab CA |
| Validity | notBefore / notAfter | 2026-01-01 / 2027-01-01 |
| Subject | DN of certificate holder | CN=George McClain,O=HomeLab |
| Public Key | Algorithm and key bytes | EC P-256 public key |
| Extensions | v3 extensions | Key usage, SAN, AKI, SKI |
Key v3 Extensions:
- Subject Alternative Name (SAN): Additional identities (DNS names, IPs, email addresses). Browsers require this; CN alone is deprecated for domain validation.
- Key Usage: Constrains cryptographic operations (digitalSignature, keyEncipherment, etc.)
- Extended Key Usage (EKU): Application-level constraints (serverAuth, clientAuth, codeSigning)
- Authority Key Identifier (AKI): Identifies the CA key that signed this cert (used to build the chain)
- Subject Key Identifier (SKI): Hash of the subject’s public key
- Basic Constraints:
isCA: true/false,pathLenConstraintfor CAs
Encoding formats:
- DER: Binary encoding (ASN.1). Used by Java, Windows, hardware tokens.
- PEM: Base64-encoded DER with
-----BEGIN CERTIFICATE-----headers. Used everywhere else. - PKCS#12 / PFX: Container format bundling cert + private key + CA chain, protected by password.
Inspecting a certificate:
# From a file
step certificate inspect cert.pem
# From a YubiKey PIV slot
ykman piv certificates export 9a - | step certificate inspect
# From a live TLS connection
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -textCertificate fingerprint:
A SHA-256 hash of the DER-encoded certificate. Used to uniquely identify a certificate without transmitting it in full. The fingerprint displayed by step ca init for the Root CA is how clients bootstrap trust.
Inspecting a certificate with step
# Export the certificate from YubiKey slot 9a and inspect it
ykman piv certificates export 9a - | step certificate inspect
# Output shows:
# Subject: CN=George McClain,O=HomeLab
# Issuer: CN=HomeLab CA Intermediate
# Validity:
# Not Before: 2026-01-01T00:00:00Z
# Not After: 2027-01-01T00:00:00Z
# Key Usage: Digital Signature
# Extended Key Usage: Client Authentication
# Subject Alternative Name: email:george@homelab.localX.509 certificates are everywhere in modern IT infrastructure: every HTTPS website, every email client that supports S/MIME, every VPN connection using certificate auth, every code signing pipeline, and every hardware token-based login. Understanding what is inside a certificate - and being able to read one with step certificate inspect or openssl x509 -text - is a fundamental skill for anyone working in networking, security, or systems administration. Common real-world problems that trace back to X.509: expired certificates causing service outages (Let’s Encrypt requires 90-day renewal), SAN mismatch errors (the cert was issued for the wrong hostname), and revocation check failures (the CA’s OCSP responder is unreachable). For homelab PIV auth, each YubiKey slot holds one X.509 certificate, and that certificate is what SSH servers and macOS login use to verify your identity.