Certificates | x509 certificates
An X.509 certificate is a digital certificate based on the widely accepted International Telecommunications Union (ITU) X.509 standard, which defines the format of public key infrastructure (PKI) certificates. They are used to manage identity and security in internet communications and computer networking. They are unobtrusive and ubiquitous, and we encounter them every day when using websites, mobile apps, online documents, and connected devices. 1
The certificate is also a confirmation or validation by an trusted Certificate Authority (CA) that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate.
For many reasons, primary, security reasons, we may want to revoke the validity of an X.509 certificate. In a nutshell, an X.509 certificate should be revoked when:
- Encryption keys of the certificate have been compromised.
- Errors occur within an issued certificate.
- We want to change the usage of the certificate.
- Certificate owner is no longer deemed trusted.
The Netdata Agent checks the X.509 certificate revocation status (0: revoked, 1: valid). This alert indicates that the X.509 certificate has been revoked. Check more about the x509 certificate monitoring with Netdata
This alert is triggered in critical state when the X.509 certificate is available and not valid.
Where and why we need X.509 certificates
The following provides a comprehensive explanation from the sectigo’s website 1
Common Applications of X.509 Public Key Infrastructure Many internet protocols rely on X.509, and there are many applications of the PKI technology that are used every day, including Web server security, digital signatures and document signing, and digital identities.
Web Server Security with TLS/SSL Certificates:
PKI is the basis for the secure sockets layer (SSL) and transport layer security (TLS) protocols that are the foundation of HTTPS secure browser connections. Without SSL certificates or TLS to establish secure connections, cybercriminals could exploit the Internet or other IP networks using a variety of attack vectors, such as man-in-the-middle attacks, to intercept messages and access their contents.
Digital Signatures and Document Signing:
In addition to being used to secure messages, PKI-based certificates can be used for digital
signatures and document signing. Digital signatures are a specific type of electronic signature
that leverages PKI to authenticate the identity of the signer and the integrity of the signature
and the document. Digital signatures cannot be altered or duplicated in any way, as the signature
is created by generating a hash, which is encrypted using a sender’s private key. This
cryptographic verification mathematically binds the signature to the original message to ensure
that the sender is authenticated and the message itself has not been altered.
Code Signing enables application developers to add a layer of assurance by digitally signing
applications, drivers, and software programs so that end users can verify that a third party has
not altered or compromised the code they receive. To verify the code is safe and trusted, these
digital certificates include the software developer’s signature, the company name, and
S/MIME certificates validate email senders and encrypt email contents to protect against
increasingly sophisticated social engineering and spear phishing attacks. By encrypting/decrypting
email messages and attachments and by validating identity, S/MIME email certificates assure users
that emails are authentic and unmodified.
SSH keys are a form of X.509 certificate that provides a secure access credential used in the
Secure Shell (SSH) protocol. As the SSH protocol is widely used for communication in cloud
services, network environments, file transfer tools, and configuration management tools, most
organizations use SSH keys to authenticate identity and protect those services from unintended use
or malicious attacks. SSH keys not only improve security, but also enable the automation of
connected processes, single sign-on (SSO), and identity and access management at the scale that
today’s businesses require.
X.509 digital certificates also provide effective digital identity authentication. As data and
applications expand beyond traditional networks to mobile devices, public clouds, private clouds,
and Internet of Things devices, securing identities becomes more important than ever. And digital
identities don’t have to be restricted to devices; they can also be used to authenticate people,
data, or applications. Digital identity certificates based on this standard enable organizations
to improve security by replacing passwords, which attackers have become increasingly adept at
See more about the Certificate Authorities
A certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.
References and source
A revocation of a certificate is irreversible. That means that this certificate is no longer
useful. You must stop using it in any way.