X.509 v3 证书字段解释

一， X.509证书是什么？

    复杂来说，X.509是由国际电信联盟（ITU-T）制定的数字证书标准。为了提供公用网络用户目录信息服务，ITU于1988年制定了X.500系列标准。其中X.500和X.509是安全认证系统的核心，X.500定义了一种区别命名规则，以命名树来确保用户名称的唯一性；X.509则为X.500用户名称提供了通信实体鉴别机制，并规定了实体鉴别过程中广泛适用的证书语法和数据接口，X.509称之为证书。

    简单来说，X.509是一套数字证书的体系标准，它标准化了一个通用的、灵活的证书格式。X.509是X.500标准系列的一部分，在PKI的发展中，X.509起到了无可比拟的作用，其丰富的证书携带信息使之成为当前最流行的证书存储格式。

二，什么是LDAP？

    LDAP，它的英文全称是Lightweight Directory Access Protocol，轻量级目录访问协议。它是基于X.500标准的，但是简单多了并且可以根据需要定制。LDAP不是数据库而是用来访问存储在信息目录（也就是LDAP目录）中的信息的协议。也就是说"通过使用LDAP，可以在信息目录的正确位置读取（或存储）数据"，LDAP主要是优化数据读取的性能。与X.500不同，LDAP支持TCP/IP，这对访问Internet是必须的。

三，x509 v3证书格式都有哪些字段?（写英文了，因为工作环境都是英文，需要中文的自己翻译一下即可）

    1. Subject. Provides the name of the computer, user, network device, or service that the CA issues the certificate to. The subject name is commonly represented by using an X.500 or Lightweight Directory Access Protocol (LDAP) format.

    2. Serial Number. Provides a unique identifier for each certificate that a CA issues.

    3. Issuer. Provides a distinguished name for the CA that issued the certificate. The issuer name is

commonly represented by using an X.500 or LDAP format.

    4. Valid From. Provides the date and time when the certificate becomes valid. 

    5. Valid To. Provides the date and time when the certificate is no longer considered valid.

    6. Public Key. Contains the public key of the key pair that is associated with the certificate.

    7. Subject Key Identifier. The public key identity of user subject which is used to distinguish different

    key pairs of one certificate owner.

    8. Authority Key Identifier. Authority's public key identity.

    9. Subject alternative name. A subject can be presented in many different formats. 

    10. CRL distribution points (CDP). When a user, service, or computer presents a certificate, an          application or service must determine whether the certificate has been revoked before its validity            period has expired. 

    11. Authority Information Access (AIA). The AIA extension provides one or more URLs from where an application or service can retrieve the issuing CA certificate. 

    12. Thumbprint algorithm. The algorithm used to derive Hash message..

    13. Thumbprint. The signature applied to the certificate Hash message by issuer or CA.

    14.Enhanced Key Usage (EKU). This attribute includes an object identifier (OID) for each application or service a certificate can be used for. 

    15.Certificate policies. Describes what measures an organization takes to validate the identity of a certificate requestor before it issues a certificate. 

证书格式其实并没有写全，但一般有这些就够用了。如果我写的有不对的地方，还请各位留言指正。

本文转自 拾瓦兴阁 51CTO博客，原文链接:http://blog.51cto.com/ponyjia/1620121