]> Test Vectors for CBOR Encoded X.509 (C509) Certificates NIO
lijun.liao@nio.io
Ericsson
goran.selander@ericsson.com
Ericsson
john.mattsson@ericsson.com
Security COSE Working Group Internet-Draft This document contains examples of CBOR encoded X.509 (C509) certificates, certificate (signing) requests, and certificate request templates.
Introduction This document contains examples of X.509 certificates, certificate (signing) requests, and certificate request templates encoded in CBOR according to the C509 specification . This complements the C509 specification with many readable examples illustrating the encodings of the certificate and certificate request fields, and can be used for testing interoperability between C509 implementations. Different encodings and formats of certificates and certificate requests are shown: X.509 certificates and certificate requests in PEM format, and C509 certificates and certificate requests in plain hex and in annotated form. The examples include two types of C509 certificates, distinguished by the value of the c509CertificateType field (see ):
  • c509CertificateType = 03 (here called type 3) is a reversible CBOR encoding of an X.509 certificate, where the issuerSignatureValue field of the C509 certificate contains the signatureValue field of the X.509 certificate, i.e., the digital signature computed upon the ASN.1 DER encoding.
  • c509CertificateType = 02 (here called type 2) differs from type 3 only in this value, and that the issuerSignatureValue field of the C509 certificate contains the signature over the TBSCertificate of the C509 certificate, i.e., the digital signature computed upon the CBOR encoding.
The examples also include four types of C509 certificate requests (here called type 0, 1, 2 and 3) distinguished by the value of the c509CertificateRequestType field. This type indicates the format of the request as well as the format of the certificate being requested, see Figure 3 of . Following , the C509 plain hex contains the ~C509Certificate, ~C509CertificateRequest and ~C509CertificateRequestTemplate, i.e. the unwrapped CBOR Sequence . These can easily be converted into CBOR diagnostic notation (see ) using the CBOR Playground . (Note that CBOR sequences requires ticking the box 'cborseq' in the CBOR Playground.) Private keys are also provided to enable the creation of signatures (and verification of the ECDH PoP). The keys printed in these examples cannot be considered secret and MUST NOT be used. The examples are structured as follows:
  • contains a CA certificate used in later sections.
  • contains certificates with different types of subject public keys, including RSA, Weierstrass EC, Edwards EC, and Montgomery EC keys.
  • contains certificates with different types of signature and proof-of-possession algorithms, and references other sections where these algorithms are exemplified.
  • lists examples of subject attributes, and references other sections where the encoding of these attributes are exemplified.
  • lists examples of certificate extensions, and references other sections where the encoding of these extensions are exemplified.
  • gives examples of certificates with attributes or extensions for which no dedicated CBOR encoding has been defined and generic constructs, like CBOR OID , are used.
  • gives examples of certificate requests with different signature or proof-of-possession algorithms.
  • gives examples of certificate requests with different extensions.
  • gives examples of certificate request templates.
Editor's note: The current version does not contain any keys or signatures of post-quantum algorithms. This may be included in a future version or in a separate document.
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Readers are expected to be familiar with C509 .
CA Certificate
  • Use Ed25519 public key for the CA due to its small size in public key and signature value
  • Self-signed
  • Key: Ed25519
  • Signature algorithm: Ed25519
  • Signature algorithm: Ed25519
Private Key
X.509 Certificate PEM content (300 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
  • Compared to the C509 type 2 certificate, the only difference is the certificate type, the signature value, and the public key identifier.
Plain hex (161 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (161 bytes): Annotated hex: 5: 1A 67748580 # [4]. notBefore=1735689600: 2025-01-01T00:00:00Z 10: 1A 6B36EC7F # [5]. notAfter=1798761599: 2026-12-31T23:59:59Z 15: 67 # [6]. subject=char[7] 16: 74657374206361 # "test ca" 23: 0A # [7]. subjectPublicKeyAlg=10: Ed25519 24: 58 20 # [8]. subject public key=byte[32] 26: 5A9414AC56D1B6AF0C966FC53B9476B5C95D0EEAAEF764D9EFE86DB7320C 56: 36E1 58: 88 # [9]. extensions=array[8] # extension[0] 59: 01 # type=1: SubjectKeyIdentifier 60: 54 # value=byte[20] 61: C16DE726347331107520B4ED9ED0088023A56033 # extension[1] 81: 21 # type=-2: KeyUsage, critical 82: 18 60 # value=96: [keyCertSign, cRLSign] # extension[2] 84: 03 # type=3: SubjectAlternativeName 85: 67 # DNS, value=char[7] 86: 6162632E636F6D # "abc.com" # extension[3] 93: 23 # type=-4: BasicConstraints, critical 94: 20 # value=-1: CA: true, pathLenConstraint: # unlimited 95: 58 40 # [10]. signature value=byte[64] 97: AA0CF7A8B267EDE76B0C2CC0240A60587700D749A959EE3D96B59E13DEF9 127: F137DC51FB9E460A5EBF7F0C659365EBE32B44CCA4A2AC67E3D18A867C36 157: 400E2C01 ]]>
Certificates With Different Subject Public Keys
RSA Public Key With Public Exponent 65537
  • Self-signed
  • RSA public key with public exponent = 65537 and 1024-bit modulus
  • Signature algorithm: sha256WithRSAEncryption
  • NotAfter: null
  • Subject: only commonName of EUI-48
  • Extensions: with only one non-critical extension keyUsage
Private Key
X.509 Certificate PEM content (464 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
  • Compared to the C509 type 2 certificate, the only difference is the certificate type, the signature value, and the public key identifier.
Plain hex (283 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (283 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: F6 # [5]. notAfter=: 9999-12-31T23:59:59Z 12: D8 30 # [6]. subject=tag(48) 14: 46 # byte[6] 15: 1234567890AB 21: 00 # [7]. subjectPublicKeyAlg=0: RSA 22: 58 80 # [8]. subject public key=byte[128] 24: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 54: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 84: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 114: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 144: 83F6478DAF4253DB 152: 01 # [9]. extensions=1, KeyUsage: [digitalSignature] 153: 58 80 # [10]. signature value=byte[128] 155: 371A7322CDD9DECB1F3B4851A18A47B461A479C29DCE7397290C79DB9564 185: 3A5C7FE2B1F02DB6AF5F0BCA9602D837F7EB3D4AA28738CBCAD385043304 215: E648022A1E9FE0FD19687839AC3EC7C7B6F6E5F85B4416BA085D5C9E367A 245: 0B892829F2F3E4A31D3FDA0E58EA701A72CB3F1B4A06E3DF44F4492FCFBD 275: 5C5F71F03340D7CA ]]>
RSA Public Key With Public Exponent 3
  • Self-signed
  • RSA public key with public exponent = 3 and 1024-bit modulus
  • Signature algorithm: sha384WithRSAEncryption
  • Subject: only commonName of EUI-64
  • Extensions: with only one critical extension keyUsage
Private Key
X.509 Certificate PEM content (463 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (293 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (293 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: D8 30 # [6]. subject=tag(48) 19: 48 # byte[8] 20: 1234567890ABCDEF 28: 00 # [7]. subjectPublicKeyAlg=0: RSA 29: 82 # [8]. subject public key=array[2] 30: 58 80 # [0]=byte[128] 32: 8679EB0B4F0FC941DFED4D08F79332C16C97DFE6D7DA4BDBF28A333BFC 61: 68B7177C50398D575F14E2F48FA14A5FD8436DEB3310414EEADEB121DE 90: 0679C6A2AAD95A44BAF6A5F13C9CAD4ECFB48CD7875F9FBE8766FE6D1E 119: C2ABDB0331A0E92D28ABC474C3737870199595B786F31F963C8A6E0F70 148: BB82C9D00F3CE733539ED30B 160: 41 # [1]=byte[1] 161: 03 162: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 163: 58 80 # [10]. signature value=byte[128] 165: 511BFC472F8DD672A522B24B33C971091CA3CA02699A813CC5931E1AD541 195: 338ABC1FF9883EC72E9AF4F3B442C5FF5040231E1A6C1FF8CA3AA3F5CB1E 225: 743FD6C009D40692DBD8D5B7A91BB630EC18F1402DCCFFC1B67AC69DA5E4 255: A8CCE0A3DF7396CDBA16C731370B8A96BF62E67F93A56C74DA88F5F4DCC1 285: 6FCF24C2D3B3192F ]]>
Weierstrass EC Public Key With secp256r1
  • Self-signed
  • EC key with curve secp256r1
  • Signature algorithm: ecdsa-with-SHA256
  • Subject: only commonName of even number of lowercase hex chars
  • Extensions
    • Basic Constraints: CA, with no pathLen
    • Extended Key Usage: with only int usage
    • Subject Key Identifier
Private Key
X.509 Certificate PEM content (383 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (189 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, the signature value, and the public key identifier.
C509 Type 3 Certificate With Compressed EC Public Key
  • C509 type 3 certificate with compressed EC public key converted from the X.509 certificate in .
Plain hex (157 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 48 # [6]. subject=byte[8] 17: 1234567890ABCDEF 25: 01 # [7]. subjectPublicKeyAlg=1: EC public key with # curve secp256r1 26: 58 21 # [8]. subject public key=byte[33] 28: FDF413596A87125995B4E0D8B7BEFBC4D6EDB11F61AF08AB32408D4FF9F9 58: 078DDB 61: 88 # [9]. extensions=array[8] # extension[0] 62: 01 # type=1: SubjectKeyIdentifier 63: 54 # value=byte[20] 64: 07E12C4CACE95C2285EC4A5B05A4A2BB0EC87A7A # extension[1] 84: 02 # type=2: KeyUsage 85: 18 60 # value=96: [keyCertSign, cRLSign] # extension[2] 87: 23 # type=-4: BasicConstraints, critical 88: 20 # value=-1: CA: true, pathLenConstraint: # unlimited # extension[3] 89: 08 # type=8: ExtendedKeyUsage 90: 01 # 1: serverAuth 91: 58 40 # [10]. signature value=byte[64] 93: 8A25E8AABBA4B19B8E0D1596A476C2C42F5068F5F3457606806E2F284A22 123: E6E7A799B809F4364246E7A093B3CC10CE28B5ED9AC5FEE29542483B85E6 153: 243BC13F ]]>
C509 Type 2 Certificate Plain hex (189 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 48 # [6]. subject=byte[8] 17: 1234567890ABCDEF 25: 01 # [7]. subjectPublicKeyAlg=1: EC public key with # curve secp256r1 26: 58 41 # [8]. subject public key=byte[65] 28: 04F413596A87125995B4E0D8B7BEFBC4D6EDB11F61AF08AB32408D4FF9F9 58: 078DDBAB3635AFD496D5656A22EFDC3D59C4482A99836BB358FBF4CA78D3 88: 930436C857 93: 88 # [9]. extensions=array[8] # extension[0] 94: 01 # type=1: SubjectKeyIdentifier 95: 54 # value=byte[20] 96: 1F3BC19DE194830066C6EAE7CB9D211339EDD942 # extension[1] 116: 02 # type=2: KeyUsage 117: 18 60 # value=96: [keyCertSign, cRLSign] # extension[2] 119: 23 # type=-4: BasicConstraints, critical 120: 20 # value=-1: CA: true, pathLenConstraint: # unlimited # extension[3] 121: 08 # type=8: ExtendedKeyUsage 122: 01 # 1: serverAuth 123: 58 40 # [10]. signature value=byte[64] 125: 8A25E8AABBA4B19B8E0D1596A476C2C42F5068F5F3457606806E2F284A22 155: E6E71EF91E63F35636A4D497E1FB4D3C393ADCDB09D92E02E0194D703ECD 185: 98EB2D79 ]]>
Weierstrass EC Public Key With secp384r1
  • Self-signed
  • EC key with curve secp384r1
  • Subject: only commonName with normal text
  • Extensions
    • Basic Constraints: CA, with pathLen
    • Extended Key Usage: with only oid usage
    • Certificate Policies
    • Inhibit anyPolicy
Private Key
X.509 Certificate PEM content (533 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (300 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (300 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 72 # [6]. subject=char[18] 17: 73656C667369676E2D73656370333834 # "selfsign-secp384" 33: 7231 # "r1" 35: 02 # [7]. subjectPublicKeyAlg=2: EC public key with # curve secp384r1 36: 58 61 # [8]. subject public key=byte[97] 38: 04DD6762F035899451372B2FE9B52A8314AD10E2C4363C5A5849E296FE51 68: AAB9BFD03AB038D33418A0BCD83280ABA0BD9104017165C048B5346B5410 98: 9E449FCC889E4EE870B5F8A2C63DAE414DE19755BE278A175E040D4A4C1A 128: 0EE46E924A5C29 135: 8A # [9]. extensions=array[10] # extension[0] 136: 02 # type=2: KeyUsage 137: 18 60 # value=96: [keyCertSign, cRLSign] # extension[1] 139: 23 # type=-4: BasicConstraints, critical 140: 01 # value=1: CA: true, pathLenConstraint: 1 # extension[2] 141: 06 # type=6: CertificatePolicies 142: 83 # value=array[3] # CertificatePolicy[0] 143: 03 # PolicyIdentifier=3: # IndividualValidation # CertificatePolicy[1] 144: 00 # PolicyIdentifier=0: any 145: 84 # PolicyQualifierInfos=array[4] # PolicyQualifierInfo[0] 146: 01 # policyQualifierId=1: # DomainValidation 147: 6E # qualifier=char[14] 148: 687474703A2F2F6370732E75726C # "http://cps.url" # PolicyQualifierInfo[1] 162: 02 # policyQualifierId=2: # OrganizationValidation 163: 77 # qualifier=char[23] 164: 7468697320697320746865207573 # "this is the us" 178: 6572206E6F74696365 # "er notice" # extension[3] 187: 08 # type=8: ExtendedKeyUsage 188: 4A # byte[10]: 189: 2B0601040182E3526304 # oid: 1.3.6.1.4.1.45522.99.4 # extension[4] 199: 18 1E # type=30: InhibitAnyPolicy 201: 00 # value=simple-uint(0) 202: 58 60 # [10]. signature value=byte[96] 204: 347EB5ED49E1F6536E2A3F3B5DF1C12D9BAEF440DFBC42BD45D31F4B3FDA 234: BDFA9D685A84582D98B1B2474210F1C785DA99A28737A0AFB997FE5858C4 264: 57570DF214A1688EDE02740B32058B42C9CF6C559F1C7EB3EB75334496AD 294: 26BF589412C8 ]]>
Weierstrass EC Public Key With secp521r1
  • Self-signed
  • EC key with curve secp521r1
  • Signature algorithm: ecdsa-with-SHA512
  • Subject: empty
  • Extensions
    • Basic Constraints: non-CA
    • Extended Key Usage: with usages of int and oid.
    • Subject Alt Name
Private Key
X.509 Certificate PEM content (669 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (457 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (457 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 80 # [6]. subject=array[0], 0 attribute 17: 03 # [7]. subjectPublicKeyAlg=3: EC public key with # curve secp521r1 18: 58 85 # [8]. subject public key=byte[133] 20: 04005538CE8F7CDE229335C85958AACD029DDF65CFC2A72A75055E63B8FE 50: 59D07FB4BDF10DB7B8BA7D57C5C691EB96EAB97411615A6A430E51787031 80: 719CEBC305E69200705CC828B9755F8FD53452B777A40CB6792554E5718B 110: AB91EA3F03086A4072A47047CEEC2493C384045FCC6ED8E4F748A5223AF1 140: 2901EB2E19A6C288951C939B05 153: 88 # [9]. extensions=array[8] # extension[0] 154: 02 # type=2: KeyUsage 155: 01 # value=1: [digitalSignature] # extension[1] 156: 03 # type=3: SubjectAlternativeName 157: 92 # value=array[18] # GeneralName[0] 158: 04 # GeneralNameType=4: directoryName 159: 84 # GeneralNameValue=array[4], 2 attributes # attribute[0] 160: 04 # type=4: country 161: 62 # value=char[2] 162: 4445 # "DE" # attribute[1] 164: 01 # type=1: commonName 165: 64 # value=char[4] 166: 54657374 # "Test" # GeneralName[1] 170: 02 # GeneralNameType=2: dNSName 171: 67 # GeneralNameValue=char[7] 172: 6162632E636F6D # "abc.com" # GeneralName[2] 179: 01 # GeneralNameType=1: rfc822Name 180: 6F # GeneralNameValue=char[15] 181: 616263406578616D706C652E6F7267 # "abc@example.org" # GeneralName[3] 196: 21 # GeneralNameType=-2: on_smtpUTF8Mailbox 197: 74 # GeneralNameValue=char[20] 198: 736D747075746638406D61696C626F78 # "smtputf8@mailbox" 214: 2E6F7267 # ".org" # GeneralName[4] 218: 06 # GeneralNameType=6: uri 219: 75 # GeneralNameValue=char[21] 220: 687474703A2F2F6D797572696C2E636F # "http://myuril.co" 236: 6D2F616263 # "m/abc" # GeneralName[5] 241: 08 # GeneralNameType=8: registeredID 242: 4A # GeneralNameValue=byte[10]: 243: 2B0601040182E3526308 # oid: 1.3.6.1.4.1.45522.99.8 # GeneralName[6] 253: 07 # GeneralNameType=7: iPAddress 254: 44 # GeneralNameValue=byte[4] 255: 11111111 # GeneralName[7] 259: 00 # GeneralNameType=0: otherName 260: 82 # GeneralNameValue=array[2] 261: 4A # id=byte[10]: 262: 2B0601040182E3526301 # oid: 1.3.6.1.4.1.45522.99.1 272: 4C # value=byte[12] 273: 040A22222222222222222222 # GeneralName[8] 285: 20 # GeneralNameType=-1: # on_hardwareModuleName 286: 82 # GeneralNameValue=array[2] 287: 4A # id=byte[10]: 288: 2B0601040182E3526302 # oid: 1.3.6.1.4.1.45522.99.2 298: 52 # value=byte[18] 299: 041033333333333333333333333333333333 # extension[2] 317: 23 # type=-4: BasicConstraints, critical 318: 21 # value=-2: CA: false # extension[3] 319: 08 # type=8: ExtendedKeyUsage 320: 82 # value=array[2] 321: 02 # 2: clientAuth 322: 01 # 1: serverAuth 323: 58 84 # [10]. signature value=byte[132] 325: 012F8358F64621CA68F7DB644AEFE37958041A686436AFCEDDE70ACEBA73 355: 744D70147784A41AD67673A1EE5B3B9B1A8351553A29E87815ABFCCA5D1D 385: E1099F284B4C01CDC0923D3297C17BB6EF9F5F14B090BDCE0F5713A50EE5 415: BB54FB208A95383BDCBEF2468346BAA70A85E8DF85E3FF5799DC2EC913A1 445: D560FAEB6142B396D46339A1 ]]>
Weierstrass EC Public Key With brainpoolP256r1
  • Self-signed
  • EC key with curve brainpoolP256r1
  • Signature algorithm: ecdsa-with-shake128
  • Subject:
    • country
    • state
    • locality
    • postalCode
    • street
  • Extensions:
    • IP Resources with IPAddressChoice of value "null"
    • IP Resources v2 with IPAddressChoice of value "null"
    • AS Resources
    • AS Resources v2
Private Key
X.509 Certificate PEM content (644 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (259 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (259 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 8C # [6]. subject=array[12], 6 attributes # attribute[0] 17: 01 # type=1: commonName 18: 78 18 # value=char[24] 20: 73656C667369676E2D627261696E706F # "selfsign-brainpo" 36: 6F6C703235367231 # "olp256r1" # attribute[1] 44: 04 # type=4: country 45: 62 # value=char[2] 46: 4445 # "DE" # attribute[2] 48: 05 # type=5: locality 49: 6B # value=char[11] 50: 6D79206C6F63616C697479 # "my locality" # attribute[3] 61: 06 # type=6: state 62: 68 # value=char[8] 63: 6D79207374617465 # "my state" # attribute[4] 71: 07 # type=7: street 72: 69 # value=char[9] 73: 6D7920737472656574 # "my street" # attribute[5] 82: 0C # type=12: postalCode 83: 6D # value=char[13] 84: 6D7920706F7374616C436F6465 # "my postalCode" 97: 18 18 # [7]. subjectPublicKeyAlg=24: EC public key with # curve brainpoolp256r1 99: 58 41 # [8]. subject public key=byte[65] 101: 0477B077412EE98950779ED882FFCB1648E014272354469624F5BCE2F14F 131: 3242AD4ACC5686A86508D59FB729FDC29811188D8BF016CE4A5151054DAF 161: 888C48D5ED 166: 8A # [9]. extensions=array[10] # extension[0] 167: 02 # type=2: KeyUsage 168: 01 # value=1: [digitalSignature] # extension[1] 169: 18 20 # type=32: IPAddressBlocks 171: 84 # value=array[4] # IPAddrBlock[0] 172: 01 # AFI=1: IPv4 # IPAddrBlock[1] 173: F6 # IPAddressChoice= # IPAddrBlock[2] 174: 02 # AFI=2: IPv6 # IPAddrBlock[3] 175: F6 # IPAddressChoice= # extension[2] 176: 18 21 # type=33: AutonomousSysIds 178: 82 # value=array[2] 179: 02 # id=2 180: 82 # range=array[2] 181: 01 # min=1 182: 03 # max=3 # extension[3] 183: 18 22 # type=34: IPAddressBlocksV2 185: 84 # value=array[4] # IPAddrBlock[0] 186: 01 # AFI=1: IPv4 # IPAddrBlock[1] 187: F6 # IPAddressChoice= # IPAddrBlock[2] 188: 02 # AFI=2: IPv6 # IPAddrBlock[3] 189: F6 # IPAddressChoice= # extension[4] 190: 18 23 # type=35: AutonomousSysIdsV2 192: F6 # value= 193: 58 40 # [10]. signature value=byte[64] 195: 9CDE645DD8D02AA75B6B773837DD8C6ABA2F07231569BAB5258BC4A0EC0E 225: 1EFB636B28E6BF1FD29522DD5C20384BDCA1C35144440C5084E4A780CEEE 255: 84B06221 ]]>
Weierstrass EC Public Key With brainpoolP384r1
  • Self-signed
  • EC key with curve brainpoolP384r1
  • Signature algorithm: ecdsa-with-sha384
  • Subject:
    • surname
    • givenName
    • title
    • name
  • Extensions:
    • IP Resources with non-null IPAddressChoice
    • IP Resources V2 with non-null IPAddressChoice
Private Key
X.509 Certificate PEM content (775 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (504 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (432 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 8A # [6]. subject=array[10], 5 attributes # attribute[0] 17: 01 # type=1: commonName 18: 78 18 # value=char[24] 20: 73656C667369676E2D627261696E706F # "selfsign-brainpo" 36: 6F6C703338347231 # "olp384r1" # attribute[1] 44: 02 # type=2: surname 45: 6A # value=char[10] 46: 6D79207375726E616D65 # "my surname" # attribute[2] 56: 0A # type=10: title 57: 68 # value=char[8] 58: 6D79207469746C65 # "my title" # attribute[3] 66: 0D # type=13: givenName 67: 6C # value=char[12] 68: 6D7920676976656E4E616D65 # "my givenName" # attribute[4] 80: 18 19 # type=25: name 82: 67 # value=char[7] 83: 6D79206E616D65 # "my name" 90: 18 19 # [7]. subjectPublicKeyAlg=25: EC public key with # curve brainpoolp384r1 92: 58 61 # [8]. subject public key=byte[97] 94: 046709C992919B49C48FD931D05C497D3865E6084C91DF3A4C7E781F4185 124: 43B023D59E8BF25D133FB1A094E9D42C8FA6ED3B46E9883A35ABD4B0A9D3 154: 0AAEFD9B7E88ED3800565D1E7F0633134D6519292D49BD55EC30A167197F 184: EC0F7429822B95 191: 86 # [9]. extensions=array[6] # extension[0] 192: 02 # type=2: KeyUsage 193: 01 # value=1: [digitalSignature] # extension[1] 194: 18 20 # type=32: IPAddressBlocks 196: 84 # value=array[4] # IPAddrBlock[0] 197: 01 # AFI=1: IPv4 # IPAddrBlock[1] 198: 85 # IPAddressChoice=array[5] # IPAddressOrRange[0]=AddressPrefix 199: 43 # Address=byte[3] 200: 0A0000 203: 04 # unusedBits=4 # IPAddressOrRange[1]=AddressPrefix 204: 43 # Address=byte[3] 205: 0A0000 208: 00 # unusedBits=0 # IPAddressOrRange[2]=AddressRange 209: 82 # array[2] 210: 44 # min=byte[4] 211: 0A020000 215: 42 # max=byte[2] 216: 0A04 # IPAddrBlock[2] 218: 02 # AFI=2: IPv6 # IPAddrBlock[3] 219: 85 # IPAddressChoice=array[5] # IPAddressOrRange[0]=AddressPrefix 220: 48 # Address=byte[8] 221: 2002000100000000 229: 00 # unusedBits=0 # IPAddressOrRange[1]=AddressPrefix 230: 47 # Address=byte[7] 231: 20020002000000 238: 00 # unusedBits=0 # IPAddressOrRange[2]=AddressRange 239: 82 # array[2] 240: 50 # min=byte[16] 241: 20020003000000000000000000000000 257: 46 # max=byte[6] 258: 200200080000 # extension[2] 264: 18 22 # type=34: IPAddressBlocksV2 266: 84 # value=array[4] # IPAddrBlock[0] 267: 01 # AFI=1: IPv4 # IPAddrBlock[1] 268: 85 # IPAddressChoice=array[5] # IPAddressOrRange[0]=AddressPrefix 269: 43 # Address=byte[3] 270: 0A0000 273: 04 # unusedBits=4 # IPAddressOrRange[1]=AddressPrefix 274: 43 # Address=byte[3] 275: 0A0000 278: 00 # unusedBits=0 # IPAddressOrRange[2]=AddressRange 279: 82 # array[2] 280: 44 # min=byte[4] 281: 0A020000 285: 42 # max=byte[2] 286: 0A04 # IPAddrBlock[2] 288: 02 # AFI=2: IPv6 # IPAddrBlock[3] 289: 85 # IPAddressChoice=array[5] # IPAddressOrRange[0]=AddressPrefix 290: 48 # Address=byte[8] 291: 2002000100000000 299: 00 # unusedBits=0 # IPAddressOrRange[1]=AddressPrefix 300: 47 # Address=byte[7] 301: 20020002000000 308: 00 # unusedBits=0 # IPAddressOrRange[2]=AddressRange 309: 82 # array[2] 310: 50 # min=byte[16] 311: 20020003000000000000000000000000 327: 46 # max=byte[6] 328: 200200080000 334: 58 60 # [10]. signature value=byte[96] 336: 6709C992919B49C48FD931D05C497D3865E6084C91DF3A4C7E781F418543 366: B023D59E8BF25D133FB1A094E9D42C8FA6ED4B168EF9239575AE498B2EC8 396: E7169D69F29D3007733E80D1EE1AAB99E6EED4D9A2E2129ACD422AF95986 426: C94956D5CD67 ]]>
Weierstrass EC Public Key With brainpoolP512r1
  • Self-signed
  • EC key with curve brainpoolp512r1
  • Signature algorithm: ecdsa-with-SHAKE256
  • Subject:
    • jurisdictionOfIncorporationCountryName
    • jurisdictionOfIncorporation StateOrProvinceName
    • jurisdictionOfIncorporationLocalityName
  • Extensions:
    • Subject Directory Attributes
    • Subject Information Access
    • Policy Mappings
Private Key
X.509 Certificate PEM content (820 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (434 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (434 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 88 # [6]. subject=array[8], 4 attributes # attribute[0] 17: 01 # type=1: commonName 18: 78 18 # value=char[24] 20: 73656C667369676E2D627261696E706F # "selfsign-brainpo" 36: 6F6C703531327231 # "olp512r1" # attribute[1] 44: 13 # type=19: jurIncorporationLocality 45: 78 1B # value=char[27] 47: 6D79206A7572496E636F72706F726174 # "my jurIncorporat" 63: 696F6E4C6F63616C697479 # "ionLocality" # attribute[2] 74: 14 # type=20: jurIncorporationState 75: 78 18 # value=char[24] 77: 6D79206A7572496E636F72706F726174 # "my jurIncorporat" 93: 696F6E5374617465 # "ionState" # attribute[3] 101: 15 # type=21: jurIncorporationCountry 102: 62 # value=char[2] 103: 5345 # "SE" 105: 18 1A # [7]. subjectPublicKeyAlg=26: EC public key with # curve brainpoolp512r1 107: 58 81 # [8]. subject public key=byte[129] 109: 046D327067D334CE53FA29317AA207B85CA237623F19A10C594BF024FC3F 139: FEB64FAB5884D0D448A271552E02E7CF44D8BF104DA182CEC1DE895C8418 169: B8529D9B8B2C4B80A736DDC56471D6A52C6CE414E69D57356B15FC08A46B 199: 61FA5B721FABC76932F3836DADE4F70F6F0CACB8D3351A7EB54EFF077C40 229: 2368C49BB715B53458 238: 88 # [9]. extensions=array[8] # extension[0] 239: 02 # type=2: KeyUsage 240: 01 # value=1: [digitalSignature] # extension[1] 241: 18 18 # type=24: SubjectDirectoryAttributes 243: 82 # value=array[2], 1 Attribute 244: 04 # attributeType=4: country 245: 82 # attributeValue=array[2] 246: 62 # attributeValue[0]=char[2] 247: 4445 # "DE" 249: 62 # attributeValue[1]=char[2] 250: 5345 # "SE" # extension[2] 252: 18 1B # type=27: PolicyMappings 254: 84 # value=array[4] # policyMapping[0] 255: 02 # issuerDomainPolicy=2: # OrganizationValidation 256: 01 # subjectDomainPolicy=1: DomainValidation # policyMapping[1] 257: 4A # issuerDomainPolicy=byte[10]: 258: 2B0601040182E3526306 # oid: 1.3.6.1.4.1.45522.99.6 268: 4A # subjectDomainPolicy=byte[10]: 269: 2B0601040182E3526307 # oid: 1.3.6.1.4.1.45522.99.7 # extension[3] 279: 18 1F # type=31: SubjectInfoAccess 281: 82 # value=array[2] # AccessDescription[0] 282: 02 # accessMethod=2: CAIssuers 283: 74 # uri=char[20] 284: 687474703A2F2F636169737375657273 # "http://caissuers" 300: 2E75726C # ".url" 304: 58 80 # [10]. signature value=byte[128] 306: 9A23F973FF1BBBA49E4F05EC2DCCEA7C273CB4D65DDBDFA84DB103212859 336: DBCB235D187025B8C8F1F040F5590F05E47B65B2AE6A883FB96E9973D3BA 366: B3B8CF41A6BDB83FE998EFEE980DABD7B128C23F084724F718B5DCF2D345 396: 9D2BA9EFC53FAB140A8B5C1BFC8D1F290E51320FE80DD46938CEF7BD6991 426: D00732BF1189FF02 ]]>
Weierstrass EC Public Key With frp256v1
  • Self-signed
  • EC key with curve frp256v1
  • Signature algorithm: ecdsa-with-SHA1
  • Subject:
    • emailAddress
    • telephoneNumber
    • businessCategory
  • Extensions:
    • Policy Constraints with only requireExplicitPolicy
    • Name Constraints with only permittedSubTrees
Private Key
X.509 Certificate PEM content (560 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (276 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (276 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 88 # [6]. subject=array[8], 4 attributes # attribute[0] 18: 00 # type=0: emailAddress 19: 6F # value=char[15] 20: 616263406578616D706C652E6F7267 # "abc@example.org" # attribute[1] 35: 01 # type=1: commonName 36: 71 # value=char[17] 37: 73656C667369676E2D66727032353676 # "selfsign-frp256v" 53: 31 # "1" # attribute[2] 54: 0B # type=11: businessCategory 55: 73 # value=char[19] 56: 6D7920627573696E6573734361746567 # "my businessCateg" 72: 6F7279 # "ory" # attribute[3] 75: 18 1A # type=26: telephoneNumber 77: 72 # value=char[18] 78: 6D792074656C6570686F6E654E756D62 # "my telephoneNumb" 94: 6572 # "er" 96: 18 1B # [7]. subjectPublicKeyAlg=27: EC public key with # curve frp256v1 98: 58 41 # [8]. subject public key=byte[65] 100: 04378D2D28A1F6547124F2DB6A42F63915BFA2F6537AE20CF0417D675FBE 130: 6603DA80A4CF3F1E43633343AB3BE80150EC04E9649DD62705BC055BDCDA 160: 791EB25062 165: 86 # [9]. extensions=array[6] # extension[0] 166: 02 # type=2: KeyUsage 167: 01 # value=1: [digitalSignature] # extension[1] 168: 18 1A # type=26: NameConstraints 170: 82 # value=array[2] 171: 84 # permittedSubtrees=array[4] # GeneralName[0] 172: 02 # GeneralNameType=2: dNSName 173: 6E # GeneralNameValue=char[14] 174: 7065726D69747465642E646E7331 # "permitted.dns1" # GeneralName[1] 188: 02 # GeneralNameType=2: dNSName 189: 6E # GeneralNameValue=char[14] 190: 7065726D69747465642E646E7332 # "permitted.dns2" 204: F6 # excludedSubtrees= # extension[2] 205: 18 1C # type=28: PolicyConstraints 207: 82 # value=array[2] 208: 01 # requireExplicitPolicy=1 209: F6 # inhibitPolicyMapping= 210: 58 40 # [10]. signature value=byte[64] 212: 378D2D28A1F6547124F2DB6A42F63915BFA2F6537AE20CF0417D675FBE66 242: 03DAB6D89694165C9C5BD7A30A7D81A2F52E94193A740E445EA2041751E9 272: 040DAFFB ]]>
Weierstrass EC Public Key With sm2p256v1
  • Self-signed
  • EC key with curve sm2p256v1
  • Signature algorithm: sm2-with-sm3
  • Subject:
    • serialNumber
    • organization
    • organizationalUnit
    • organizationIdentifier
  • Extensions:
    • Policy Constraints with only inhibitPolicyMapping
    • Name Constraints with only excludedSubTrees
Private Key
X.509 Certificate PEM content (621 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (301 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (301 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 8A # [6]. subject=array[10], 5 attributes # attribute[0] 18: 01 # type=1: commonName 19: 72 # value=char[18] 20: 73656C667369676E2D736D3270323536 # "selfsign-sm2p256" 36: 7631 # "v1" # attribute[1] 38: 03 # type=3: serialNumber 39: 6F # value=char[15] 40: 6D792073657269616C4E756D626572 # "my serialNumber" # attribute[2] 55: 08 # type=8: organization 56: 6F # value=char[15] 57: 6D79206F7267616E697A6174696F6E # "my organization" # attribute[3] 72: 09 # type=9: organizationalUnit 73: 75 # value=char[21] 74: 6D79206F7267616E697A6174696F6E61 # "my organizationa" 90: 6C556E6974 # "lUnit" # attribute[4] 95: 12 # type=18: organizationIdentifier 96: 78 19 # value=char[25] 98: 6D79206F7267616E697A6174696F6E49 # "my organizationI" 114: 64656E746966696572 # "dentifier" 123: 18 1C # [7]. subjectPublicKeyAlg=28: EC public key with # curve sm2p256v1 125: 58 41 # [8]. subject public key=byte[65] 127: 0495FFF4BE8611C8149C81ADEC14125DACCA746A2F3FE38CD2EAB711E8C9 157: 9F101FBB448423F166F9FFD98F0E321597BB394835A6FB240337A3891290 187: 7A22C3F04A 192: 86 # [9]. extensions=array[6] # extension[0] 193: 02 # type=2: KeyUsage 194: 01 # value=1: [digitalSignature] # extension[1] 195: 18 1A # type=26: NameConstraints 197: 82 # value=array[2] 198: F6 # permittedSubtrees= 199: 84 # excludedSubtrees=array[4] # GeneralName[0] 200: 02 # GeneralNameType=2: dNSName 201: 6D # GeneralNameValue=char[13] 202: 6578636C756465642E646E7331 # "excluded.dns1" # GeneralName[1] 215: 02 # GeneralNameType=2: dNSName 216: 6D # GeneralNameValue=char[13] 217: 6578636C756465642E646E7332 # "excluded.dns2" # extension[2] 230: 18 1C # type=28: PolicyConstraints 232: 82 # value=array[2] 233: F6 # requireExplicitPolicy= 234: 02 # inhibitPolicyMapping=2 235: 58 40 # [10]. signature value=byte[64] 237: 0E6F4EDA275E22D67E72278FD0959B2CA3B02BEBDC2FE677B75AB629D160 267: FC8AE1A98C366FA988A058A8804FD99448988891C2CC78FE71367A5DB24E 297: 1707ABA1 ]]>
Montgomery EC Public Key With X25519
  • X25519 public key
  • Extensions
    • authorityKeyIdentifier with only the field keyIdentifier
    • authorityInfoAccess
    • issuerAltName
Private Key
X.509 Certificate
  • Issued by the CA in .
PEM content (678 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (454 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate
  • Issued by the CA in .
Plain hex (464 bytes): Annotated hex:
Montgomery Public Key With X448
  • X448 public key
  • Extensions:
    • authorityKeyIdentifier with all fields
    • crlDistributionPoints
    • freshestCRL
Private Key
X.509 Certificate
  • Issued by the CA in .
PEM content (407 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (254 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate
  • Issued by the CA in .
Plain hex (254 bytes): Annotated hex:
Edwards EC Public Key With ED25519
  • Self-signed
  • EC key with curve ed25519
  • Signature algorithm: Ed25519
  • Subject:
    • domainComponent
    • dnQualifier
    • dmdName
    • unstructuredName
    • unstructuredAddress
    • generationQualifier
  • Extensions:
    • Policy Constraints with both requireExplicitPolicy and inhibitPolicyMapping
    • Name Constraints with both permittedSubTrees and excludedSubTrees
Private Key
X.509 Certificate PEM content (733 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (331 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (331 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 8E # [6]. subject=array[14], 7 attributes # attribute[0] 17: 01 # type=1: commonName 18: 70 # value=char[16] 19: 73656C667369676E2D65643235353139 # "selfsign-ed25519" # attribute[1] 35: 0F # type=15: generationQualifier 36: 76 # value=char[22] 37: 6D792067656E65726174696F6E517561 # "my generationQua" 53: 6C6966696572 # "lifier" # attribute[2] 59: 10 # type=16: DNQualifier 60: 6E # value=char[14] 61: 6D7920646E5175616C6966696572 # "my dnQualifier" # attribute[3] 75: 16 # type=22: domainComponent 76: 72 # value=char[18] 77: 6D7920646F6D61696E436F6D706F6E65 # "my domainCompone" 93: 6E74 # "nt" # attribute[4] 95: 18 1B # type=27: DMDName 97: 6A # value=char[10] 98: 6D7920646D644E616D65 # "my dmdName" # attribute[5] 108: 18 1D # type=29: unstructuredName 110: 73 # value=char[19] 111: 6D7920756E737472756374757265644E # "my unstructuredN" 127: 616D65 # "ame" # attribute[6] 130: 18 1E # type=30: unstructuredAddress 132: 76 # value=char[22] 133: 6D7920756E7374727563747572656441 # "my unstructuredA" 149: 646472657373 # "ddress" 155: 0A # [7]. subjectPublicKeyAlg=10: Ed25519 156: 58 20 # [8]. subject public key=byte[32] 158: 46270AEC0F32837E128779D30B249C531D6D42C1AC29E402328EDC79FAC2 188: BE95 190: 86 # [9]. extensions=array[6] # extension[0] 191: 02 # type=2: KeyUsage 192: 01 # value=1: [digitalSignature] # extension[1] 193: 18 1A # type=26: NameConstraints 195: 82 # value=array[2] 196: 84 # permittedSubtrees=array[4] # GeneralName[0] 197: 02 # GeneralNameType=2: dNSName 198: 6E # GeneralNameValue=char[14] 199: 7065726D69747465642E646E7331 # "permitted.dns1" # GeneralName[1] 213: 02 # GeneralNameType=2: dNSName 214: 6E # GeneralNameValue=char[14] 215: 7065726D69747465642E646E7332 # "permitted.dns2" 229: 84 # excludedSubtrees=array[4] # GeneralName[0] 230: 02 # GeneralNameType=2: dNSName 231: 6D # GeneralNameValue=char[13] 232: 6578636C756465642E646E7331 # "excluded.dns1" # GeneralName[1] 245: 02 # GeneralNameType=2: dNSName 246: 6D # GeneralNameValue=char[13] 247: 6578636C756465642E646E7332 # "excluded.dns2" # extension[2] 260: 18 1C # type=28: PolicyConstraints 262: 82 # value=array[2] 263: 01 # requireExplicitPolicy=1 264: 02 # inhibitPolicyMapping=2 265: 58 40 # [10]. signature value=byte[64] 267: 3894B5785CEA7A3BDA00D7E0D9AF5C3CA005AB6A753A58A472BE4BE9C65B 297: AA844BD97B0E8CD2120B17BD7AC3DDDE97FB40B3D89A64A13222337AA4BF 327: 6BA2E809 ]]>
Edwards EC Public Key With ED448
  • Self-signed
  • EC key with curve ed448
  • Signature algorithm: ED448
  • Subject:
    • initials
    • pseudonym
    • userid
  • Extensions:
    • Precertificate Signing Certificate
    • OCSP No Check
    • TLS Features
    • Signed Certificate Timestamp List
Private Key
X.509 Certificate PEM content (787 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (473 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (473 bytes): Annotated hex: 6: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 11: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 16: 88 # [6]. subject=array[8], 4 attributes # attribute[0] 17: 01 # type=1: commonName 18: 6E # value=char[14] 19: 73656C667369676E2D6564343438 # "selfsign-ed448" # attribute[1] 33: 0E # type=14: initials 34: 6B # value=char[11] 35: 6D7920696E697469616C73 # "my initials" # attribute[2] 46: 11 # type=17: pseudonym 47: 6C # value=char[12] 48: 6D792070736575646F6E796D # "my pseudonym" # attribute[3] 60: 18 1C # type=28: userID 62: 69 # value=char[9] 63: 6D7920757365726964 # "my userid" 72: 0B # [7]. subjectPublicKeyAlg=11: Ed448 73: 58 39 # [8]. subject public key=byte[57] 75: 8C35E491DB58702D7B99167C19F86B2681EA25D21F83AC6EC78040A90411 105: 4FCB1DCF239F6C4D845147F7E22793A891A9F9CA5D1E20A7398C80 132: 8A # [9]. extensions=array[10] # extension[0] 133: 02 # type=2: KeyUsage 134: 01 # value=1: [digitalSignature] # extension[1] 135: 0A # type=10: SignedCertificateTimestampList 136: 88 # value=array[8] # SignedCertificateTimestamp[0] 137: 58 20 # logID=byte[32] 139: 2222222222222222222222222222222222222222222222222222 165: 222222222222 171: 39 270E # timestamp=-9999 174: 00 # sigAlg=0: ecdsa-with-sha256 175: 58 40 # sigValue=byte[64] 177: 4040404040404040404040404040404040404040404040404040 203: 4040404040404040404040404040404040404040404040404040 229: 404040404040404040404040 # SignedCertificateTimestamp[1] 241: 58 20 # logID=byte[32] 243: 2222222222222222222222222222222222222222222222222222 269: 222222222222 275: 19 270F # timestamp=9999 278: 00 # sigAlg=0: ecdsa-with-sha256 279: 58 40 # sigValue=byte[64] 281: 4040404040404040404040404040404040404040404040404040 307: 4040404040404040404040404040404040404040404040404040 333: 404040404040404040404040 # extension[2] 345: 18 24 # type=36: OCSPNoCheck 347: F6 # value= # extension[3] 348: 18 25 # type=37: PreCertificate 350: F6 # value= # extension[4] 351: 18 26 # type=38: TLSFeatures 353: 82 # value=array[2] 354: 18 2C # value=44: cookie 356: 10 # value=16: application layer protocol # negotiation 357: 58 72 # [10]. signature value=byte[114] 359: ED25FBBD003303D2680C385B159FE46C26CB81E8368A24B038B8048E0FF8 389: BC44F1F0825A5945152E24992F696A90BA0DAE59E3713264CFE38026AB8D 419: 8D64B8DE1194C23D0FB19CDD4E2B581AC75CBBF9FAD25314B75462DB8CDF 449: BCE5C832D4137410CB5A948CB1EE1575C95066CC47951000 ]]>
Certificates with Different Signature Algorithms
RSASSA-PKCS1-v1_5 With SHA-1
  • Self-signed
  • Signature algorithm: sha1WithRSAEncryption
Private Key See .
X.509 Certificate PEM content (463 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (302 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (302 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 76 # [6]. subject=char[22] 18: 73656C667369676E2D7273612D776974 # "selfsign-rsa-wit" 34: 682D73686131 # "h-sha1" 40: 00 # [7]. subjectPublicKeyAlg=0: RSA 41: 58 80 # [8]. subject public key=byte[128] 43: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 73: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 103: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 133: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 163: 83F6478DAF4253DB 171: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 172: 58 80 # [10]. signature value=byte[128] 174: 0150926C5642D9CB2AAA27A17B68FBBFC9F47AA42CD9E6779B4E9A7A81C7 204: 60589C53AC23BAD6A94F5A6B275BE292B79BA9CB59D045E44809353DCE73 234: C936A06EC20D51AE24C559DDB02EBF4B0838F515328058F601D91F6DAE5B 264: FF55DC78DEB80970D2F74757FC5F96BE6F217825DC8286D9446CCA0C9AF2 294: 57FCE66CD963F891 ]]>
ECDSA With SHA1
  • Signature algorithm: ecdsa-with-sha1
See .
ECDSA With SHA256
  • Signature algorithm: ecdsa-with-sha256
See .
ECDSA With SHA384
  • Signature algorithm: ecdsa-with-sha384
See .
ECDSA With SHA512
  • Signature algorithm: ecdsa-with-SHA512
See .
ECDSA With SHAKE128
  • Signature algorithm: ecdsa-with-shake128
See .
ECDSA With SHAKE256
  • Signature algorithm: ecdsa-with-shake256
See .
Ed25519
  • Signature algorithm: ed25519
See .
Ed448
  • Signature algorithm: ed448
See .
ECDH PoP With SHA-256 And HMAC-SHA256
  • Signature algorithm sa-ecdhPop-sha256-hmac-sha256
See .
ECDH PoP With SHA-384 And HMAC-SHA384
  • Signature algorithm: sa-ecdhPop-sha384-hmac-sha384
See .
ECDH PoP With SHA-512 And HMAC-SHA512
  • Signature algorithm: sa-ecdhPop-sha512-hmac-sha512f
See .
RSASSA-PKCS1-v1_5 With SHA-256
  • Signature algorithm sha256WithRSAEncryption
See .
RSASSA-PKCS1-v1_5 With SHA-384
  • Signature algorithm: sha384WithRSAEncryption
See .
RSASSA-PKCS1-v1_5 With SHA-512
  • Self-signed
  • Signature algorithm: sha512WithRSAEncryption
Private Key See .
X.509 Certificate PEM content (467 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (305 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (305 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 18 # [6]. subject=char[24] 19: 73656C667369676E2D7273612D776974 # "selfsign-rsa-wit" 35: 682D736861353132 # "h-sha512" 43: 00 # [7]. subjectPublicKeyAlg=0: RSA 44: 58 80 # [8]. subject public key=byte[128] 46: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 76: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 106: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 136: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 166: 83F6478DAF4253DB 174: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 175: 58 80 # [10]. signature value=byte[128] 177: B5D4C31502957FBEE2E4DED7E45E723A8B9A86A46E9FEA1D87817808D1AC 207: E802370B91718755F101FFB3B971816120BE5CC05D2EE866422D78EF7D16 237: AA78CE4011E4DC92AE1C7DA3C7831773A44A7B2F5BAFED5D2B8A6A4E6E49 267: 638B3335DC68B596AE5FC48360E1C7DD50BD457CF2CFDCF56F98BE1EA310 297: 3B12DD5B6221DB21 ]]>
RSASSA-PSS With SHA-256
  • Self-signed
  • Signature algorithm: rsassa-pss-with-sha256
Private Key See .
X.509 Certificate PEM content (575 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (307 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (307 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 1A # [6]. subject=char[26] 19: 73656C667369676E2D7273617373612D # "selfsign-rsassa-" 35: 7073732D736861323536 # "pss-sha256" 45: 00 # [7]. subjectPublicKeyAlg=0: RSA 46: 58 80 # [8]. subject public key=byte[128] 48: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 78: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 108: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 138: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 168: 83F6478DAF4253DB 176: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 177: 58 80 # [10]. signature value=byte[128] 179: 4D8FB6928B9C34EF6E53A22DE2BED6579A58FB990CED4C7CC5B0227CBB21 209: 0741B3C3DA6A72CFA764CEF937DABC9C373776FD882ABBD052936D6B4A14 239: A12E628AF43CA89A6CAAC11513AA9C4438C668447FFF7497F32BE445B58A 269: 4EA2E40E30C32165558EFB66E2B17640B93B061BD8BF5812818B318415E9 299: F20FFE5EA50C9D39 ]]>
RSASSA-PSS With SHA-384
  • Self-signed
  • Signature algorithm: rsassa-pss-with-sha384
Private Key See .
X.509 Certificate PEM content (575 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (307 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (307 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 1A # [6]. subject=char[26] 19: 73656C667369676E2D7273617373612D # "selfsign-rsassa-" 35: 7073732D736861333834 # "pss-sha384" 45: 00 # [7]. subjectPublicKeyAlg=0: RSA 46: 58 80 # [8]. subject public key=byte[128] 48: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 78: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 108: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 138: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 168: 83F6478DAF4253DB 176: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 177: 58 80 # [10]. signature value=byte[128] 179: 62E00951C6AC6536337911F5568E8FCB79440A0A7A59EA7EEFFC20CD8A85 209: E2111502116A040D14A209602BCD8F635D9B91689429F8B43D35FC79A4B3 239: AE34824D41B56D9472513673F7D13B2F77B81992B205DDFF91088CCDF03E 269: 85A7F07471EFF6549AF07A77BBAE313D1B909DDF2EC94C67E0F20A342CC2 299: 5CFFF87A820CE9DC ]]>
RSASSA-PSS With SHA-512
  • Self-signed
  • RSA public key with 1536-bit modulus
  • Signature algorithm: rsassa-pss-with-sha512
Private Key
X.509 Certificate PEM content (703 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (435 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (435 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 1A # [6]. subject=char[26] 19: 73656C667369676E2D7273617373612D # "selfsign-rsassa-" 35: 7073732D736861353132 # "pss-sha512" 45: 00 # [7]. subjectPublicKeyAlg=0: RSA 46: 58 C0 # [8]. subject public key=byte[192] 48: B511729186EDC01B2335EC7E46AB1CF3B31FB8D46133CE350588EFD85ED0 78: 876568B7BE006CE3527ABA643A1B0F8FA5EC5402229630442CFCE3050804 108: CB03FA99E5BC3F8D48B3EEA94B420C26F8DEC7B78E8580A79E29AEA0DC9B 138: DC5973F89D9B3DB7E8BBEB0BFD357CE710D9EF39E4AB628B861285DB9093 168: 9F0D2FD01D8E9BC9717CF4C4E42FB17DCC522C42A9FA000B05FFFBA9E24E 198: E64B991C1E01824A9D5AFDC37EA11C81AF2A1FA82BD58940AD7D4DB61F8D 228: C688C48A686C45B1065626D3 240: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 241: 58 C0 # [10]. signature value=byte[192] 243: A2218182F9D326F7A5164835FF9B2D24927A5277D9482AB0A729D4321D66 273: 365D58A0DFADDABB6D6D57FF358CFB090DFDFE12EA0D1FCA209808AAFAD0 303: DC4F24F1ACA12B364B6922B93DD574737BA10B77B1BFF69512C4A35692C0 333: 3565E19EB8F3123A3B07063783A08F9AB93FEDCEAB7C2295F47226D4B6ED 363: 536E71BB7E671DD9D9BCC9BF592353C9BCEFFC0B78BC1615F4C53C6B8EF4 393: 03B606E6D89A3458AA16C786609F353E40F8EB5BACDA815B1BDDA10132BC 423: 8642EBBF6FF5D9AB1A11D272 ]]>
RSASSA-PSS With SHAKE128
  • Self-signed
  • Signature algorithm: rsassa-pss-with-shake128
Private Key See .
X.509 Certificate PEM content (469 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (309 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (309 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 1C # [6]. subject=char[28] 19: 73656C667369676E2D7273617373612D # "selfsign-rsassa-" 35: 7073732D7368616B65313238 # "pss-shake128" 47: 00 # [7]. subjectPublicKeyAlg=0: RSA 48: 58 80 # [8]. subject public key=byte[128] 50: B8092F6F04726A921CFAB2D313AE9D2F01C7CE465FAB7DA62C7A5C73FACE 80: 5FFBA2F1DD80A29ADC43399CFCA22279B89A264810E5B926BB5E0D3F727A 110: 763E16013F89F8FEAC59D0FBDD5E8B0C52827E5490F13B84C3634E89C6D1 140: 731AE5F1A60F88ED118D080E1AB2CAA532D06C2F7D2A0874DEE4E6B6E572 170: 83F6478DAF4253DB 178: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 179: 58 80 # [10]. signature value=byte[128] 181: 06B4F24DEFA5DC3C58E8C0B8E30A03C43A43A42B6EAD06458EE0FFB5EAA4 211: 43204DA030DFD19BCDCA2D5C0B4D6C848B5F9EC444C39CDF4C7263887D92 241: 2AE17D8989A5F2046E6B4D2D9F114BA960DC55DFFFF775F9481F580DAD43 271: A984BAE37A650297C563C9AAA24CBFC3086BBCD6CAEE405E23EDC9104DD1 301: 6F653B47C9EB6B31 ]]>
RSASSA-PSS With SHAKE256
  • Self-signed
  • Signature algorithm: rsassa-pss-with-shake256
Private Key See .
X.509 Certificate PEM content (597 bytes):
C509 Type 3 Certificate
  • C509 type 3 certificate converted from the X.509 certificate in .
Plain hex (437 bytes): Annotated hex:
  • See the annotated hex of the C509 type 2 certificate. The only difference is the certificate type, and the signature value.
C509 Type 2 Certificate Plain hex (437 bytes): Annotated hex: 7: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 12: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 17: 78 1C # [6]. subject=char[28] 19: 73656C667369676E2D7273617373612D # "selfsign-rsassa-" 35: 7073732D7368616B65323536 # "pss-shake256" 47: 00 # [7]. subjectPublicKeyAlg=0: RSA 48: 58 C0 # [8]. subject public key=byte[192] 50: B511729186EDC01B2335EC7E46AB1CF3B31FB8D46133CE350588EFD85ED0 80: 876568B7BE006CE3527ABA643A1B0F8FA5EC5402229630442CFCE3050804 110: CB03FA99E5BC3F8D48B3EEA94B420C26F8DEC7B78E8580A79E29AEA0DC9B 140: DC5973F89D9B3DB7E8BBEB0BFD357CE710D9EF39E4AB628B861285DB9093 170: 9F0D2FD01D8E9BC9717CF4C4E42FB17DCC522C42A9FA000B05FFFBA9E24E 200: E64B991C1E01824A9D5AFDC37EA11C81AF2A1FA82BD58940AD7D4DB61F8D 230: C688C48A686C45B1065626D3 242: 20 # [9]. extensions=-1, KeyUsage, critical: # [digitalSignature] 243: 58 C0 # [10]. signature value=byte[192] 245: 3C5A7DBA06D0918EB0397D881C60312E0668171E2644F9E30E05DC76231A 275: F177C8E1B460A763B31B7B869F2070602BB5749D627A7074973D4D49ADF9 305: A282C506101713DD246B92AD47D2A8A914891538670F8F38F32B4C39A87C 335: 5B4FF1DFBF7F00A6353F199F885EA95172C334B61335A46D9DE493D2A1DB 365: 40B7CF7F39E6297D951CC35D459B911A591EF16511D9470C861320B6559A 395: 138D1F4AE6B4FF8E493A3B9C5150B123FEB2FB84B5FDE60CE4FBC5FA74E4 425: E1B9CCDAA8F2A8D4CF574263 ]]>
SM2 With SM3
  • Signature algorithm: sm2-with-sm3
See .
Certificates With Different Subject Attributes
One Attribute CommonName With EUI-48
  • Subject: with only one attribute commonName consisting of even number of EUI-48.
See .
One Attribute CommonName With EUI-64
  • Subject: with only one attribute commonName consisting of even number of EUI-64.
See .
One Attribute CommonName With Even Number Of Lowercase Hex Letters
  • Subject: with only one attribute commonName consisting of even number of lowercase hex letters
See .
One Attribute CommonName With Other Text
  • Subject: with only one attribute commonName consisting of text other than EUI-48, EUR-64 and even number of lowercase hex letters
See .
Empty Subject
  • Subject: empty subject.
See .
Subject With Attribute Business Category
  • Subject: with attribute business category
See .
Subject With Attribute Country
  • Subject: with attribute country
See .
Subject With Attribute Directory Management Domain Name
  • Subject: with attribute directory magement domain name
See .
Subject With Attribute DN Qualifier
  • Subject: with attribute DN Qualifier
See .
Subject With Attribute Domain Component
  • Subject: with attribute domain component
See .
Subject With Attribute Email Address
  • Subject: with attribute email address
See .
Subject With Attribute Generation Qualifier
  • Subject: with attribute generation qualifier
See .
Subject With Attribute Given Name
  • Subject: with attribute given name
See .
Subject With Attribute Initials
  • Subject: with attribute initials
See .
Subject With Attribute Incorporation Country
  • Subject: with attribute incorporation country
See .
Subject With Attribute Incorporation Locality
  • Subject: with attribute incorporation locality
See .
Subject With Attribute Incorporation State Or Province
  • Subject: with attribute incorporation State or province
See .
Subject With Attribute Locality
  • Subject: with attribute locality
See .
Subject With Attribute Name
  • Subject: with attribute name
See .
Subject With Attribute Organization
  • Subject: with attribute organization
See .
Subject With Attribute Organizational Unit
  • Subject: with attribute organizational unit
See .
Subject With Attribute Organization Identifier
  • Subject: with attribute organization identifier
See .
Subject With Attribute Postal Code
  • Subject: with attribute postal code
See .
Subject With Attribute Pseudonym
  • Subject: with attribute pseudonym
See .
Subject With Attribute Serial Number
  • Subject: with attribute serial number
See .
Subject With Attribute State
  • Subject: with attribute state
See .
Subject With Attribute Street
  • Subject: with attribute street
See .
Subject With Attribute Surname
  • Subject: with attribute surname
See .
Subject With Attribute Telephone Number
  • Subject: with attribute telephone number
See .
Subject With Attribute Title
  • Subject: with attribute title
See .
Subject With Attribute Unstructured Name
  • Subject: with attribute unstructured name
See .
Subject With Attribute Unstructured Address
  • Subject: with attribute unstructured address
See .
Subject With Attribute userid
  • Subject: with attribute userid
See .
Certificates With Different Extensions
Empty extensions
  • Extensions: no extensions.
Not applied to certificate, see for examples in certificate requests.
One Extension: Non-critical Extension keyUsage
  • Extensions: with only one extension: non-critical extension keyUsage
See .
One Extension: Critical Extension keyUsage
  • Extensions: with only one extension: critical extension keyUsage
See .
Authority Information Access See .
Authority Key Identifier
  • With only the field KeyIdentifier See .
  • With all fields See .
AS Resources And AS Resources v2
  • With null ASIdentifiers
  • With non-empty array of ASIdOrRange
See .
Basic Constraints
  • With CA = true and absent pathLen See .
  • With CA = true and present pathLen See .
  • With CA = false See .
Certificate Policies See .
Challenge Password Not applied to certificates. See .
CRL Distribution Points and Freshest CRL See .
Extended Key Usage
  • With usages identified by int See .
  • With usages identified by ~oid See .
  • With usages identified by int and ~oid See .
Inhibit anyPolicy See .
Issuer Alternative Name See .
IP Resources and IP Resources V2
  • With IPAddressOrRange of "null" See .
  • With IPAddressOrRange of non-null See .
Name Constraints
  • With only PermittedSubTree See .
  • With only ExcludedSubTree See .
  • With both PermittedSubTree and ExcludedSubTree See .
OCSP No Check See .
Policy Constraints
  • With only RequireExplicitPolicy See .
  • With only InhibitPolicyMapping See .
  • With both Require and Inhibit See .
Policy Mappings See .
PreCertificate Signing Certificate See .
Signed Certificate Timestamp List See .
Subject Alternative Name See .
Subject Directory Attributes See .
Subject Information Access See .
Subject Key Identifier See .
TLS Features See .
X.509 Certificate With Unconvertible Attributes And Extensions
  • Common Name: subject with text not of types PrintableString and UTF8String.
  • Subject Public Key Algorithm: EC public key with unknown curve OID in the "parameters" field.
  • Extension AS Resources: ASIdentifiers with the "rdi" field.
  • Extension CRL Distribution Points: with the "reasons" field in DistributionPoint.
  • Extension IP Resources: SAFI is present.
  • Extension Name Constraints: with Option Directory Name with IA5String.
  • Extension Signed Certificate Timestamp List: with the "extensions" field.
Private Key See .
X.509 Certificate PEM content (614 bytes) Text representation:
C509 Type 3 Certificate
  • C509 type 3 certificated converted from the X.509 certificate in .
Plain hex (465 bytes): Annotated hex: 5: 1A 6775D700 # [4]. notBefore=1735776000: 2025-01-02T00:00:00Z 10: 1A 69570A80 # [5]. notAfter=1767312000: 2026-01-02T00:00:00Z 15: 82 # [6]. subject=array[2], 1 attribute # attribute[0] 16: 43 # type=byte[3]: 17: 550403 # oid: 2.5.4.3 (commonName) 20: 58 19 # value=byte[25] 22: 1617416E20494135537472696E6720436F6D6D6F6E4E616D65 47: 82 # [7]. subjectPublicKeyAlg=array[2] 48: 47 # algorithm=byte[7]: 49: 2A8648CE3D0201 # oid: 1.2.840.10045.2.1 56: 4C # parameters=byte[12] 57: 060A2B0601040182E3526305 69: 58 41 # [8]. subject public key=byte[65] 71: 04F413596A87125995B4E0D8B7BEFBC4D6EDB11F61AF08AB32408D4FF9F9 101: 078DDBAB3635AFD496D5656A22EFDC3D59C4482A99836BB358FBF4CA78D3 131: 930436C857 136: 8B # [9]. extensions=array[11] # extension[0] 137: 48 # type=byte[8]: 138: 2B06010505070108 # oid: 1.3.6.1.5.5.7.1.8 # (AutonomousSysIds) 146: 46 # value=byte[6] 147: 3004A1020500 # extension[1] 153: 43 # type=byte[3]: 154: 551D1F # oid: 2.5.29.31 (CRLDistributionPoints) 157: 58 26 # value=byte[38] 159: 30243022A01CA01A8618687474703A2F2F64756D6D792E6578616D70 187: 6C652E6F726781020640 # extension[2] 197: 48 # type=byte[8]: 198: 2B06010505070107 # oid: 1.3.6.1.5.5.7.1.7 # (IPAddressBlocks) 206: F5 # critical 207: 4B # value=byte[11] 208: 3009300704030001010500 # extension[3] 219: 18 1A # type=26: NameConstraints 221: 82 # value=array[2] 222: 82 # permittedSubtrees=array[2] # GeneralName[0] 223: 04 # GeneralNameType=4: directoryName 224: 82 # GeneralNameValue=array[2], 1 # attribute # attribute[0] 225: 43 # type=byte[3]: 226: 550403 # oid: 2.5.4.3 (commonName) 229: 58 19 # value=byte[25] 231: 1617416E20494135537472696E6720436F6D6D6F6E4E61 254: 6D65 256: F6 # excludedSubtrees= # extension[4] 257: 4A # type=byte[10]: 258: 2B06010401D679020402 # oid: 1.3.6.1.4.1.11129.2.4.2 # (SignedCertificateTimestampList) 268: 58 81 # value=byte[129] 270: 047F007D007B00111111111111111111111111111111111111111111 298: 111111111111111111111100000194244FDBE7000600010203040504 326: 03004630440220121212121212121212121212121212121212121212 354: 12121212121212121212120220121212121212121212121212121212 382: 1212121212121212121212121212121212 399: 58 40 # [10]. signature value=byte[64] 401: 8A25E8AABBA4B19B8E0D1596A476C2C42F5068F5F3457606806E2F284A22 431: E6E74A539BAD1DAA85B5DAEB634A73A79D2C114883CA8813FC3FA18735E7 461: 78BEB148 ]]>
Certificate Requests With Different Signature Algorithms
ECDSA With SHA256
  • Signature algorithm: ecdsa-with-SHA256
  • Extensions: normal extension subjectAltName
Private Key See .
X.509 Certificate Request PEM content (244 bytes): Text representation:
C509 Type 3 Certificate Request
  • C509 type 3 certificate request converted from the X.509 certificate request in .
Plain hex (152 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 1 Certificate Request
  • C509 type 1 certificate request converted from the X.509 certificate request in .
Plain hex (152 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 2 Certificate Request Plain hex (152 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 0 Certificate Request Plain hex (152 bytes): Annotated hex:
ECDH PoP with SHA-256 and HMAC-SHA256
  • Signature algorithm: sa-ecdhPop-sha256-hmac-sha256
  • Signature value: with only hashValue field
  • Extensions: challenge password with printable String
Private Key
X.509 Certificate Request
  • The private key and certificate of the peer are in and .
PEM content (206 bytes): Text representation:
C509 Type 3 Certificate Request
  • C509 type 3 certificate request converted from the X.509 certificate request in .
Plain hex (132 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 1 Certificate Request
  • C509 type 1 certificate request converted from the X.509 certificate request in .
Plain hex (132 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 2 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (132 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 0 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (132 bytes): Annotated hex:
ECDH PoP With SHA-384 And HMAC-SHA384
  • Signature algorithm: sa-ecdhPop-sha384-hmac-sha384
  • Signature value: with all fields
  • Extensions: challenge password with UTF8 String
Private Key
X.509 Certificate Request
  • The private key and certificate of the peer are in and .
PEM content (289 bytes): Text representation:
C509 Type 3 Certificate Request
  • C509 type 3 certificate request converted from the X.509 certificate request in .
Plain hex (203 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 1 Certificate Request
  • C509 type 1 certificate request converted from the X.509 certificate request in .
Plain hex (203 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 2 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (203 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 0 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (203 bytes): Annotated hex:
ECDH PoP With SHA-512 And HMAC-SHA512
  • Signature algorithm: sa-ecdhPop-sha512-hmac-sha512
  • Signature value: with all fields
  • Extensions: empty
Private Key
X.509 Certificate Request
  • The private key and certificate of the peer are in and .
PEM content (286 bytes): Text representation:
C509 Type 3 Certificate Request
  • C509 type 3 certificate request converted from the X.509 certificate request in .
Plain hex (223 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 1 Certificate Request
  • C509 type 1 certificate request converted from the X.509 certificate request in .
Plain hex (223 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 2 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (223 bytes): Annotated hex:
  • See the annotated hex of the C509 type 0 certificate request. The only difference is the certificate request type, and the signature value.
C509 Type 0 Certificate Request
  • The private key and certificate of the peer are in and .
Plain hex (223 bytes): Annotated hex:
Certificate Requests With Different Extensions
With Normal Extensions
  • Extensions: extensions except challengePassword
See .
With Extension Challenge Password
  • Extensions: extension challege pasword of type Printable String
See .
  • Extensions: extension challege pasword of type UTF8String String
See .
With Empty Extensions
  • Extensions: no extensions
See .
Certificate Request Templates
All Fields Of Value "undefined" (If Possible)
  • c509CertificateRequestType: undefined
  • subjectSignatureAlgorithm: undefined
  • subject: empty array
  • subjectPublicKeyAlgorithm: undefined
  • subjectPublicKey: undefined
  • extensionsRequest: empty array
Plain hex (7 bytes): Annotated hex: 2: F7 # [2]. subjectSignatureAlgorithm= 3: 80 # [3]. subject=array[0], 0 attribute 4: F7 # [4]. subjectPublicKeyAlgorithm= 5: F7 # [5]. subjectPublicKey= 6: 80 # [6]. extensions=array[0] ]]>
With 1 Element In Fields
  • c509CertificateRequestType: 1 element
  • subjectSignatureAlgorithm: 1 element
  • subject: 1 element
  • subjectPublicKeyAlgorithm: 1 element
  • extensionsRequest: 1 element
Plain hex (14 bytes): Annotated hex: 8: 81 # [4]. subjectPublicKeyAlgorithm=array[1] 9: 01 # [0]=1: EC public key with curve secp256r1 10: F7 # [5]. subjectPublicKey= 11: 82 # [6]. extensions=array[2] # extension[0] 12: 03 # type=3: SubjectAlternativeName 13: F7 # value= ]]>
Complex Template
  • c509CertificateRequestType: multiple types
  • subjectSignatureAlgorithm: all choices
  • subjectPublicKeyAlgorithm: all choices
  • subject
    • choice (int, Defined)
    • choice (int, undefined)
    • choice (~oid, Defined)
    • choice (~oid, undefined)
  • extensions
    • choice (int, Defined)
    • choice (int, undefined)
    • choice (~oid, Defined)
    • choice (~oid, undefined)
Plain hex (150 bytes): Annotated hex: # attribute[1] 37: 23 # type=-4: country, Printable String 38: 62 # value=char[2] 39: 4445 # "DE" # attribute[2] 41: 4A # type=byte[10]: 42: 2B0601040182E352630B # oid: 1.3.6.1.4.1.45522.99.11 52: F7 # value= # attribute[3] 53: 4A # type=byte[10]: 54: 2B0601040182E352630C # oid: 1.3.6.1.4.1.45522.99.12 64: 4D # value=byte[13] 65: 0C0B636F6E73742D76616C7565 78: 83 # [4]. subjectPublicKeyAlgorithm=array[3] 79: 01 # [0]=1: EC public key with curve secp256r1 80: 4A # [1]=byte[10]: 81: 2B0601040182E3526309 # oid: 1.3.6.1.4.1.45522.99.9 91: 82 # [2]=array[2] 92: 4A # algorithm=byte[10]: 93: 2B0601040182E352630A # oid: 1.3.6.1.4.1.45522.99.10 103: 42 # parameters=byte[2] 104: 0500 106: F7 # [5]. subjectPublicKey= 107: 88 # [6]. extensions=array[8] # extension[0] 108: 08 # type=8: ExtendedKeyUsage 109: F7 # value= # extension[1] 110: 21 # type=-2: KeyUsage, critical 111: 18 60 # value=96: [keyCertSign, cRLSign] # extension[2] 113: 4A # type=byte[10]: 114: 2B0601040182E352630D # oid: 1.3.6.1.4.1.45522.99.13 124: F7 # value= # extension[3] 125: 4A # type=byte[10]: 126: 2B0601040182E352630E # oid: 1.3.6.1.4.1.45522.99.14 136: 4D # value=byte[13] 137: 0C0B636F6E73742D76616C7565 ]]>
Security Considerations The private keys printed in these examples cannot be considered secret and MUST NOT be used.
Privacy Considerations There are no privacy considerations.
IANA Considerations There are no IANA considerations.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Concise Binary Object Representation (CBOR) Sequences This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence. Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences. Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Concise Binary Object Representation (CBOR) Tags for Object Identifiers The Concise Binary Object Representation (CBOR), defined in RFC 8949, is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. This document defines CBOR tags for object identifiers (OIDs) and is the reference document for the IANA registration of the CBOR tags so defined. CBOR Encoded X.509 Certificates (C509 Certificates) Ericsson AB Ericsson AB RISE AB RISE AB IN Groupe This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA 1.0, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. C509 is deployed in different settings including, in-vehicle and vehicle-to-cloud communication, Unmanned Aircraft Systems (UAS), and Global Navigation Satellite System (GNSS). When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates by over 50% while also significantly reducing memory and code size compared to ASN.1. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re-encoding for the signature to be verified. The TLSA selectors registry defined in RFC 6698 is extended to include C509 certificates. The document also specifies C509 Certificate Requests, C509 COSE headers, a C509 TLS certificate type, and a C509 file format. Informative References CBOR Playground
Acknowledgments