Cisco Support Community




X.509 Digital Certificates


Complete Definition

X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key Digital Certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.


In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an e-mail address or a DNS-entry.


An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKIsystems. The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (WebVPN/SSL VPN does not work with Public Key Infrastructure (PKI) and Online Certificate Status Protocol (OCSP) on the Cisco Adaptive Security Appliance (ASA)/PIX 7.2(1) and above). Popular browsers like Internet Explorer and Firefox don't check for certificate revocation by default. The time lag for performing the checking could be one of the reasons.


X.509 Wikipedia Definition



  • PKIX for Public Key Infrastructure (X.509) - RFC 3280


Also See: