Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

The Anatomy Of An X.509 Digital Certificate

Digital certificates are frequently used in the online world as a means of identification. The information embedded in the certificates lets anyone verify the identity of an entity with the utmost assurance that they are who they claim to be.

Using certificates for network authentication is one of the best ways to increase your network security and it can be done easily with SecureW2. Read here how an app startup experienced numerous user experience and security benefits by replacing passwords with certificates.

The fact is that certificates are an invaluable tool in the modern world. In this post, we’ll dig deeper into the “anatomy” of the most common type of certificate, the X.509 digital certificate.

Structure of  X.509 Digital Certificate

Each X.509 certificate has a number of attributes based on its certificate template. Common X.509 certificate fields include the following:

  • Subject
  • DNS
  • Issuer
  • Validity
  • Key Size
  • Signature Algorithm
  • Serial Number
  • SAN
  • Policies
  • DACL

We’ll touch on each attribute in more detail below.


Here you can enter the name of the user/device that the CA issues the certificate to. Most organizations opt to use this to store the certificate Common Name, which is almost always the user’s email address.


The Domain Name System (DNS) translates domain names into IP addresses so internet browsers can find and load websites. SAN:DNS is one of the attributes on a certificate and its purpose is to print device information onto the certificate.

However, with SecureW2, you can insert any attribute you wish into any field in the certificate template. Above, you can see that we’ve inserted the Device’s Identity into the DNS field, as it’s really helpful for searching and managing certificates.


The name of the CA that issues certificates. The Issuer and Subject are the same for root CAs.


Admins are able to determine how long a certificate will last. SecureW2 allows you to set up automatically renew after the expiration so you don’t have to worry about inactive certificates.

Key Size

In a cryptographic algorithm, this refers to the key size in the number of bits in a key. Currently, the RSA-recommended key size is 2048.

Signature Algorithm

The algorithm is used in the certificate signing process to sign the private key. This is usually RSA 2048.

Serial Number

The CA gives a serial number to each certificate it issues for identification.


Subject Alternative Name (SAN) structures and lists all of the domain names and IP addresses that fall under the security umbrella of a particular certificate. In the image above, the subdomains and IP addresses highlighted in yellow are protected by this certificate.


Policies define the parameter of certificates. They determine what type of certificate it can be, such as server authentication, client authentication, email, etc. Admins can define policies like security permissions, determining who has control over certificate templates.


A Discretionary Access Control List (DACL) determines which users have access to configure certificate templates.

What Are The Stages of the Certificate Lifecycle?

X.509 certificates go through multiple phases in their lifecycles. There are essentially four different stages in the certificate lifecycle:

  1. Certificate Enrollment is the first step. A user or device requests a certificate from the certificate authority (CA) which confirms their identity and generates the certificate.
  2. Certificate Distribution is the process of securely sending a digital certificate from the CA to the requesting client. This typically requires an onboarding solution to streamline device configuration and secure communications.
  3. Certificate Validation is the “active” part of the certificate lifecycle. During certificate validation, the RADIUS server checks if the certificate is still within its validity period and confirms that it has not been revoked and placed on the certificate revocation list (CRL).
  4. Certificate Revocation is self-explanatory. If an admin manually revokes a certificate, it is placed on the CRL and the RADIUS will not authenticate it. Certificates that have exceeded their validity period are considered “expired” and are not placed on the CRL.

Certificate Lifecycle Management With SecureW2

Using X.509 digital certificates for authentication is an immediate upgrade to credential (password) authentication, but it requires proper support infrastructure. In order to experience the benefits of certificates, they must be properly managed during every stage of their lifecycle. Without proper management, both users and admins will have difficulty completing their tasks. The organizations that are prepared for certificates experience the greatest benefit.

SecureW2 provides you with everything you need for certificate management at each stage of the lifecycle. SecureW2 supports several methods for users to request certificates, including an onboarding SSID, a vanity URL, or a time-restricted SSID. We also provide SCEP gateways to easily push certificates onto all managed devices without any end-user action necessary.

To ensure top-of-the-line authentication, SecureW2 provides you with an industry-exclusive Dynamic RADIUS. This allows the RADIUS to communicate directly with an IDP when users authenticate on to your network.

This is especially useful in the case of a user needing updated network permissions if their position in your organization changes. In the past, that user would need all new certificates with updated permissions on every device. With dynamic authentication, the admin simply has to update their permissions in the IDP and the RADIUS applies the updated settings when they authenticate with their certificate.

Certificates are powerful tools for securing your network, but only with the right deployment and management tools behind them. SecureW2 has affordable solutions for organizations of all sizes. Click here to see our pricing.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

The Anatomy Of An X.509 Digital Certificate