محلل شهادة X.509

An X.509 certificate is a digitally signed document that binds a public key to an identity (domain, organisation, or person). It contains: version, serial number, signature algorithm, issuer DN, validity period (notBefore/notAfter), subject DN, public key info (algorithm + key), and extensions (SAN, key usage, basic constraints, CRL distribution points, OCSP URL). The CA signs the certificate’s TBSCertificate structure to produce the final certificate.

Domain Validation (DV) certificates verify only that the applicant controls the domain, via DNS or HTTP challenge. Organisation Validation (OV) certificates additionally verify the legal organisation identity through documentation. Extended Validation (EV) certificates require the most rigorous vetting including legal existence, physical address, and phone verification. DV is sufficient for encryption; OV/EV provide identity assurance for higher-trust scenarios.

SAN (RFC 5280) is an X.509v3 extension that lists all domain names and IP addresses a certificate is valid for. Modern browsers (since 2017) only use SAN for hostname validation and ignore the Common Name (CN) field for this purpose. A certificate without SAN will be rejected even if the CN matches. Wildcard SANs (*.example.com) match one subdomain level only and do not cover the apex domain or deeper subdomains.

Chain validation verifies that each certificate in the chain is signed by the next certificate up to a trusted root CA. The browser/OS maintains a trust store of pre-installed root CA certificates. Validation checks: signature validity at each level, validity period, key usage extensions, revocation status (CRL or OCSP), and that the issuing CA has the CA:TRUE basic constraint. A chain is valid only if all checks pass at every level.