X.500 Standard status
(Implementors' Guide)

X.509 Related activities

How to be involved

More Information

Tutorial section 1
X.500 General

Tutorial section 2
X.509 specific

Other PKI organizations

edit SideBar


X.509 Extensions


An X.509 v3 certificate contains an extension field that permits any number of additional fields to be added to the certificate. Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates.

Extension structure
Figure 1 - Extension structure

The structure is shown in figure 1. An extension consists of the following components:

  • An object identifier that identifies the type of extension.
  • A flag that indicates whether the extension is critical, that is that the extensions holds vital information. In this case, a relying party shall consider a certificate invalid if it does not recognise the extension, i.e., it has no support for the extension. If an extension is labels non-critical, it can be ignored if not understood.
  • The actual extension field

Subject alternative name extension

The Subject Alternative Name extension includes one or more alternative names for the identity bound by the CA to the certified public key. It may be used in addition to the certificate's subject name or as a replacement for it.

The extension allows multiple alternative names to be defined.

The following ASN.1 data type defines the possible names.

GeneralName ::= CHOICE {

   otherName                 [0] INSTANCE OF OTHER-NAME,
   rfc822Name                [1] IA5String,
   dNSName                   [2] IA5String,
   x400Address               [3] ORAddress,
   directoryName             [4] Name,
   ediPartyName              [5] EDIPartyName,
   uniformResourceIdentifier [6] IA5String,
   iPAddress                 [7] OCTET STRING,
   registeredID              [8] OBJECT IDENTIFIER }

Extended key usage extension


Reason code extension

The Reason Code extension identifies the reason for certificate revocation.

Invalid date extension

Certificate issuer extension

The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL.

This extension is used only with indirect CRLs, which are not supported by the Certificate System.

Page Actions

Recent Changes

Group & Page

Back Links