ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

X509

X.509. The ITU-T standard that has defined the universal format of public-key certificates since 1988.

Definition

X.509 is the international standard, published by ITU-T and republished in the ISO/IEC 9594 series, that defines the ASN.1 binary format of a public-key digital certificate. An X.509 certificate binds an identity (subject, organisation, country) to a public key, the whole thing signed by a certificate authority. It is the cornerstone of every PKI: TLS, mTLS, S/MIME, qualified XAdES and CAdES signatures, AS2, AS4, PEPPOL.

Origin

X.509 was first published in 1988 as part of the X.500 series (enterprise directory). Version 3, published in 1996, introduced the extensions mechanism (Key Usage, Subject Alternative Name, Authority Information Access) still in use today. The IETF PKIX WG (RFC 5280, 2008) profiled X.509 v3 for Internet use, and that profile is the one used universally today.

Example in context

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0x42:8a:5e:...
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN=OpenPEPPOL AISBL,O=OpenPEPPOL AISBL
        Validity:
            Not Before: 2026-01-15 00:00:00 UTC
            Not After:  2028-01-15 23:59:59 UTC
        Subject: CN=PEPPOL TEST AP, C=FR
        Subject Public Key Info: EC, P-384
        X509v3 extensions: ...

Every PEPPOL AS4 certificate follows this profile: version 3, ECDSA SHA-384 signature, two-year validity, Key Usage extensions (digitalSignature, keyEncipherment), Extended Key Usage (clientAuth, serverAuth), Authority Information Access for the OCSP URL.

  • TLS 1.3 — massive consumer of X.509.
  • mTLS — authentication based on X.509.
  • S/MIME — uses X.509 to identify sender and recipient.

Last updated: May 14, 2026