A binary hex display for a typical X.509 v3 binary DER certificate is shown below.
The first 4 bytes are the ASN.1 sequence DER encoding with remaining bytes (0x04A2).
Next we have the exact binary data ("TBSCertificate") covered by the signature on the
certificate as shown in blue. This section includes the
required certificate fields (ordered sequence of certificate version,
serial number, signature algorithm ID, issuer (signer), validity period, subject, public key)
followed by optional extensions, encoded in ASN.1 format. For the detailed specification, see
IEFT RFC 3280.
Next comes the encoded
signature-algorithm specifier. Finally the actual PKCS #1 v1.5 signature
blob (128 bytes, same size as the public key modulus corresponding to the private key used
to sign this certificate) is shown in red.
0000 30 82 04 A2 30 82 04 0B A0 03 02 01 02 02 10 5E 0...0..........^
0010 EB E4 CB 24 23 90 EF 72 AE 44 79 40 50 DE 2F 30 ...$#..r.Dy@P./0
0020 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 30 81 ...*.H........0.
0030 CC 31 17 30 15 06 03 55 04 0A 13 0E 56 65 72 69 .1.0...U....Veri
0040 53 69 67 6E 2C 20 49 6E 63 2E 31 1F 30 1D 06 03 Sign, Inc.1.0...
0050 55 04 0B 13 16 56 65 72 69 53 69 67 6E 20 54 72 U....VeriSign Tr
0060 75 73 74 20 4E 65 74 77 6F 72 6B 31 46 30 44 06 ust Network1F0D.
0070 03 55 04 0B 13 3D 77 77 77 2E 76 65 72 69 73 69 .U...=www.verisi
0080 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 6F 72 gn.com/repositor
0090 79 2F 52 50 41 20 49 6E 63 6F 72 70 2E 20 42 79 y/RPA Incorp. By
00a0 20 52 65 66 2E 2C 4C 49 41 42 2E 4C 54 44 28 63 Ref.,LIAB.LTD(c
00b0 29 39 38 31 48 30 46 06 03 55 04 03 13 3F 56 65 )981H0F..U...?Ve
00c0 72 69 53 69 67 6E 20 43 6C 61 73 73 20 31 20 43 riSign Class 1 C
00d0 41 20 49 6E 64 69 76 69 64 75 61 6C 20 53 75 62 A Individual Sub
00e0 73 63 72 69 62 65 72 2D 50 65 72 73 6F 6E 61 20 scriber-Persona
00f0 4E 6F 74 20 56 61 6C 69 64 61 74 65 64 30 1E 17 Not Validated0..
0100 0D 30 33 30 37 31 33 30 30 30 30 30 30 5A 17 0D .030713000000Z..
0110 30 34 30 37 31 35 32 33 35 39 35 39 5A 30 82 01 040715235959Z0..
0120 14 31 17 30 15 06 03 55 04 0A 13 0E 56 65 72 69 .1.0...U....Veri
0130 53 69 67 6E 2C 20 49 6E 63 2E 31 1F 30 1D 06 03 Sign, Inc.1.0...
0140 55 04 0B 13 16 56 65 72 69 53 69 67 6E 20 54 72 U....VeriSign Tr
0150 75 73 74 20 4E 65 74 77 6F 72 6B 31 46 30 44 06 ust Network1F0D.
0160 03 55 04 0B 13 3D 77 77 77 2E 76 65 72 69 73 69 .U...=www.verisi
0170 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 6F 72 gn.com/repositor
0180 79 2F 52 50 41 20 49 6E 63 6F 72 70 2E 20 62 79 y/RPA Incorp. by
0190 20 52 65 66 2E 2C 4C 49 41 42 2E 4C 54 44 28 63 Ref.,LIAB.LTD(c
01a0 29 39 38 31 1E 30 1C 06 03 55 04 0B 13 15 50 65 )981.0...U....Pe
01b0 72 73 6F 6E 61 20 4E 6F 74 20 56 61 6C 69 64 61 rsona Not Valida
01c0 74 65 64 31 33 30 31 06 03 55 04 0B 13 2A 44 69 ted1301..U...*Di
01d0 67 69 74 61 6C 20 49 44 20 43 6C 61 73 73 20 31 gital ID Class 1
01e0 20 2D 20 4E 65 74 73 63 61 70 65 20 46 75 6C 6C - Netscape Full
01f0 20 53 65 72 76 69 63 65 31 1A 30 18 06 03 55 04 Service1.0...U.
0200 03 14 11 4D 69 63 68 65 6C 20 49 2E 20 47 61 6C ...Michel I. Gal
0210 6C 61 6E 74 31 1F 30 1D 06 09 2A 86 48 86 F7 0D lant1.0...*.H...
0220 01 09 01 16 10 6E 65 75 74 72 6F 6E 40 69 73 74 .....neutron@ist
0230 61 72 2E 63 61 30 81 9F 30 0D 06 09 2A 86 48 86 ar.ca0..0...*.H.
0240 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 ...........0....
0250 81 00 BF 8B 6C 98 B0 DC A8 C6 FF A5 A4 24 91 90 ....l........$..
0260 6C D3 04 6A 74 72 9C 55 67 AC 7E AF FA 1D 5A 48 l..jtr.Ug.~...ZH
0270 39 83 A6 44 1C 44 9C 52 3D 9C F3 71 5D 43 B0 86 9..D.D.R=..q]C..
0280 A3 EB A3 50 9B 8B 8F C0 26 09 F4 07 BA C2 C6 B2 ...P....&.......
0290 E8 69 97 DC B0 CC 4C CC 58 2C 89 43 31 62 A4 8E .i....L.X,.C1b..
02a0 64 5A 8F 71 8B 89 73 85 E4 40 DD 66 06 C4 0C 8B dZ.q..s..@.f....
02b0 43 74 FA 8B B1 B3 F7 70 7A B5 48 D7 54 BE CC 5B Ct.....pz.H.T..[
02c0 52 F5 11 97 1F 52 5D 72 3F D0 16 10 BF E4 B5 61 R....R]r?......a
02d0 55 8F 02 03 01 00 01 A3 82 01 38 30 82 01 34 30 U.........80..40
02e0 09 06 03 55 1D 13 04 02 30 00 30 81 AC 06 03 55 ...U....0.0....U
02f0 1D 20 04 81 A4 30 81 A1 30 81 9E 06 0B 60 86 48 . ...0..0....`.H
0300 01 86 F8 45 01 07 01 01 30 81 8E 30 28 06 08 2B ...E....0..0(..+
0310 06 01 05 05 07 02 01 16 1C 68 74 74 70 73 3A 2F .........https:/
0320 2F 77 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F /www.verisign.co
0330 6D 2F 43 50 53 30 62 06 08 2B 06 01 05 05 07 02 m/CPS0b..+......
0340 02 30 56 30 15 16 0E 56 65 72 69 53 69 67 6E 2C .0V0...VeriSign,
0350 20 49 6E 63 2E 30 03 02 01 01 1A 3D 56 65 72 69 Inc.0.....=Veri
0360 53 69 67 6E 27 73 20 43 50 53 20 69 6E 63 6F 72 Sign's CPS incor
0370 70 2E 20 62 79 20 72 65 66 65 72 65 6E 63 65 20 p. by reference
0380 6C 69 61 62 2E 20 6C 74 64 2E 20 28 63 29 39 37 liab. ltd. (c)97
0390 20 56 65 72 69 53 69 67 6E 30 11 06 09 60 86 48 VeriSign0...`.H
03a0 01 86 F8 42 01 01 04 04 03 02 07 80 30 30 06 0A ...B........00..
03b0 60 86 48 01 86 F8 45 01 06 07 04 22 16 20 35 36 `.H...E....". 56
03c0 37 39 66 35 64 64 63 62 30 32 37 62 61 35 65 63 79f5ddcb027ba5ec
03d0 62 65 34 33 38 38 33 66 33 62 31 66 34 39 30 33 be43883f3b1f4903
03e0 06 03 55 1D 1F 04 2C 30 2A 30 28 A0 26 A0 24 86 ..U...,0*0(.&.$.
03f0 22 68 74 74 70 3A 2F 2F 63 72 6C 2E 76 65 72 69 "http://crl.veri
0400 73 69 67 6E 2E 63 6F 6D 2F 63 6C 61 73 73 31 2E sign.com/class1.
0410 63 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 crl0...*.H......
0420 05 00 03 81 81 00 A8 88 57 C0 6D AD 3B 35 8D 64 ........W.m.;5.d
0430 00 72 B8 D5 BE 46 9F 71 17 E3 3B 3B 36 C7 AA C2 .r...F.q..;;6...
0440 38 9B 68 07 B4 07 9A B4 AE AE 08 42 F7 12 25 F6 8.h........B..%.
0450 82 95 7F 3F 5B E5 FD D9 9D 0A 47 DF B3 4D F0 3E ...?[.....G..M.>
0460 65 41 28 00 B8 5B 2A 67 5F 15 63 2F 30 4B F9 27 eA(..[*g_.c/0K.'
0470 8B 49 B7 2F D5 8E 59 30 A3 A2 9B FA CD F7 D2 6A .I./..Y0.......j
0480 30 41 D8 F3 07 A6 E6 CE 98 AD A2 55 1D 08 E2 24 0A.........U...$
0490 8F 3A 9D EA 26 49 CB BE EE 6D 35 CC 1B 26 8C 59 .:..&I...m5..&.Y
04a0 32 C2 6B 3D BD D9 2.k=..
An ASN.1 dump for the certificate is shown below:
0000 30 4A2: SEQUENCE {
0004 30 40B: SEQUENCE {
0008 A0 3: [0] {
000A 02 1: INTEGER 2
: }
000D 02 10: INTEGER
: 5E EB E4 CB 24 23 90 EF 72 AE 44 79 40 50 DE 2F
001F 30 D: SEQUENCE {
0021 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
002C 05 0: NULL
: }
002E 30 CC: SEQUENCE {
0031 31 17: SET {
0033 30 15: SEQUENCE {
0035 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
003A 13 E: PrintableString 'VeriSign, Inc.'
: }
: }
004A 31 1F: SET {
004C 30 1D: SEQUENCE {
004E 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
0053 13 16: PrintableString 'VeriSign Trust Network'
: }
: }
006B 31 46: SET {
006D 30 44: SEQUENCE {
006F 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
0074 13 3D: PrintableString
: 'www.verisign.com/repository/RPA Incorp. By Ref.,'
: 'LIAB.LTD(c)98'
: }
: }
00B3 31 48: SET {
00B5 30 46: SEQUENCE {
00B7 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
00BC 13 3F: PrintableString
: 'VeriSign Class 1 CA Individual Subscriber-Person'
: 'a Not Validated'
: }
: }
: }
00FD 30 1E: SEQUENCE {
00FF 17 D: UTCTime '030713000000Z'
010E 17 D: UTCTime '040715235959Z'
: }
011D 30 114: SEQUENCE {
0121 31 17: SET {
0123 30 15: SEQUENCE {
0125 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
012A 13 E: PrintableString 'VeriSign, Inc.'
: }
: }
013A 31 1F: SET {
013C 30 1D: SEQUENCE {
013E 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
0143 13 16: PrintableString 'VeriSign Trust Network'
: }
: }
015B 31 46: SET {
015D 30 44: SEQUENCE {
015F 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
0164 13 3D: PrintableString
: 'www.verisign.com/repository/RPA Incorp. by Ref.,'
: 'LIAB.LTD(c)98'
: }
: }
01A3 31 1E: SET {
01A5 30 1C: SEQUENCE {
01A7 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
01AC 13 15: PrintableString 'Persona Not Validated'
: }
: }
01C3 31 33: SET {
01C5 30 31: SEQUENCE {
01C7 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
01CC 13 2A: PrintableString
: 'Digital ID Class 1 - Netscape Full Service'
: }
: }
01F8 31 1A: SET {
01FA 30 18: SEQUENCE {
01FC 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
0201 14 11: TeletexString 'Michel I. Gallant'
: }
: }
0214 31 1F: SET {
0216 30 1D: SEQUENCE {
0218 06 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
0223 16 10: IA5String 'neutron@istar.ca'
: }
: }
: }
0235 30 9F: SEQUENCE {
0238 30 D: SEQUENCE {
023A 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
0245 05 0: NULL
: }
0247 03 8D: BIT STRING 0 unused bits, encapsulates {
024B 30 89: SEQUENCE {
024E 02 81: INTEGER
: 00 BF 8B 6C 98 B0 DC A8 C6 FF A5 A4 24 91 90 6C
: D3 04 6A 74 72 9C 55 67 AC 7E AF FA 1D 5A 48 39
: 83 A6 44 1C 44 9C 52 3D 9C F3 71 5D 43 B0 86 A3
: EB A3 50 9B 8B 8F C0 26 09 F4 07 BA C2 C6 B2 E8
: 69 97 DC B0 CC 4C CC 58 2C 89 43 31 62 A4 8E 64
: 5A 8F 71 8B 89 73 85 E4 40 DD 66 06 C4 0C 8B 43
: 74 FA 8B B1 B3 F7 70 7A B5 48 D7 54 BE CC 5B 52
: F5 11 97 1F 52 5D 72 3F D0 16 10 BF E4 B5 61 55
: 8F
02D2 02 3: INTEGER 65537
: }
: }
: }
02D7 A3 138: [3] {
02DB 30 134: SEQUENCE {
02DF 30 9: SEQUENCE {
02E1 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
02E6 04 2: OCTET STRING, encapsulates {
02E8 30 0: SEQUENCE {}
: }
: }
02EA 30 AC: SEQUENCE {
02ED 06 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
02F2 04 A4: OCTET STRING, encapsulates {
02F5 30 A1: SEQUENCE {
02F8 30 9E: SEQUENCE {
02FB 06 B: OBJECT IDENTIFIER
: Verisign policyIdentifier (2 16 840 1 113733 1 7 1 1)
0308 30 8E: SEQUENCE {
030B 30 28: SEQUENCE {
030D 06 8: OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
0317 16 1C: IA5String 'https://www.verisign.com/CPS'
: }
0335 30 62: SEQUENCE {
0337 06 8: OBJECT IDENTIFIER
: unotice (1 3 6 1 5 5 7 2 2)
0341 30 56: SEQUENCE {
0343 30 15: SEQUENCE {
0345 16 E: IA5String 'VeriSign, Inc.'
0355 30 3: SEQUENCE {
0357 02 1: INTEGER 1
: }
: }
035A 1A 3D: VisibleString
: 'VeriSign's CPS incorp. by reference liab. ltd. ('
: 'c)97 VeriSign'
: }
: }
: }
: }
: }
: }
: }
0399 30 11: SEQUENCE {
039B 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
03A6 04 4: OCTET STRING, encapsulates {
03A8 03 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
: }
03AC 30 30: SEQUENCE {
03AE 06 A: OBJECT IDENTIFIER '2 16 840 1 113733 1 6 7'
03BA 04 22: OCTET STRING, encapsulates {
03BC 16 20: IA5String '5679f5ddcb027ba5ecbe43883f3b1f49'
: }
: }
03DE 30 33: SEQUENCE {
03E0 06 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
03E5 04 2C: OCTET STRING, encapsulates {
03E7 30 2A: SEQUENCE {
03E9 30 28: SEQUENCE {
03EB A0 26: [0] {
03ED A0 24: [0] {
03EF 86 22: [6] 'http://crl.verisign.com/class1.crl'
: }
: }
: }
: }
: }
: }
: }
: }
: }
0413 30 D: SEQUENCE {
0415 06 9: OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4)
0420 05 0: NULL
: }
0422 03 81: BIT STRING 0 unused bits
: A8 88 57 C0 6D AD 3B 35 8D 64 00 72 B8 D5 BE 46
: 9F 71 17 E3 3B 3B 36 C7 AA C2 38 9B 68 07 B4 07
: 9A B4 AE AE 08 42 F7 12 25 F6 82 95 7F 3F 5B E5
: FD D9 9D 0A 47 DF B3 4D F0 3E 65 41 28 00 B8 5B
: 2A 67 5F 15 63 2F 30 4B F9 27 8B 49 B7 2F D5 8E
: 59 30 A3 A2 9B FA CD F7 D2 6A 30 41 D8 F3 07 A6
: E6 CE 98 AD A2 55 1D 08 E2 24 8F 3A 9D EA 26 49
: CB BE EE 6D 35 CC 1B 26 8C 59 32 C2 6B 3D BD D9
: }
See also Planning for PKI, R. Housley, T. Polk, 2001 Wiley p. 69.
Michel I. Gallant
neutron@istar.ca