What Is a Digital Certificate? How X.509 Certificates Work
A digital certificate is an electronic document that binds a public key to a verified identity — a person, a server, or an organization — and is signed by a trusted Certificate Authority (CA). It's the foundation of HTTPS, code signing, and encrypted email, and it follows the X.509 standard.
If you've ever clicked the padlock in a browser, you've inspected a digital certificate. This guide explains what one actually contains, how trust is established, and how to read your own.
What a Digital Certificate Does
A certificate solves a trust problem: how do you know a public key really belongs to the website you're talking to? Anyone can generate a key pair, so a public key alone proves nothing. A digital certificate adds a trusted third party — the CA — that vouches for the binding between an identity and its public key by signing the certificate with the CA's own private key.
When your browser connects to example.com, the server presents its certificate. The browser checks that a CA it already trusts signed it, that the domain matches, and that it hasn't expired or been revoked.
What's Inside an X.509 Certificate
X.509 is the format virtually every digital certificate uses. Decode one and you'll find these fields:
| Field | Purpose |
|---|---|
| Subject | Who the certificate identifies (e.g., CN=example.com) |
| Issuer | The CA that signed it |
| Public Key | The subject's public key (RSA or ECDSA) |
| Validity | "Not Before" and "Not After" dates |
| Serial Number | Unique ID assigned by the CA |
| SAN | Subject Alternative Names — the domains the cert covers |
| Signature | The CA's cryptographic signature over all the above |
| Extensions | Key usage, CRL/OCSP URLs, basic constraints |
The Subject Alternative Name (SAN) extension is what actually matters for modern HTTPS — browsers validate against SAN entries, not the legacy Common Name.
How a Certificate Authority Signs It
- You generate a key pair and a Certificate Signing Request (CSR) containing your public key and identity.
- The CA verifies your identity (for domain certs, by proving control of the domain).
- The CA hashes the certificate data and encrypts that hash with its private key — the signature.
- Anyone can verify the signature using the CA's public key, which ships in browsers and operating systems.
This forms a chain of trust: your certificate → an intermediate CA → a root CA that devices inherently trust. (See SSL Certificate Chain Explained for the full chain.)
Digital Certificate vs SSL/TLS Certificate
An SSL/TLS certificate is a type of digital certificate — specifically one used to secure web connections. "Digital certificate" is the umbrella term; it also covers:
- Code signing certificates (verify software publishers)
- Email (S/MIME) certificates (sign and encrypt email)
- Client certificates (authenticate users to servers)
- Document signing certificates (PDF/eIDAS signatures)
They all share the X.509 format; only their purpose (encoded in the Key Usage extensions) differs.
How to View a Certificate's Contents
You can inspect any certificate from the command line:
# Decode a PEM certificate
openssl x509 -in certificate.pem -text -noout
# Inspect a live server's certificate
openssl s_client -connect example.com:443 -servername example.com
For a faster, no-install option, paste the PEM block into our Certificate Decoder or SSL Certificate Decoder to see the subject, issuer, validity, and SAN entries instantly. If you have a .pem, .crt, or .cer file, the PEM Decoder detects and parses the contents for you.
Frequently Asked Questions
What is a digital certificate in simple terms? It's a digital ID card that links a public key to a verified identity, signed by a trusted authority so others can confirm the key is genuine.
What is inside an X.509 certificate? The subject and issuer names, the public key, validity dates, a serial number, Subject Alternative Names, extensions, and the CA's signature.
What's the difference between a digital certificate and an SSL certificate? An SSL/TLS certificate is one kind of digital certificate, used for HTTPS. Digital certificates also include code-signing, email, and client certificates.
Who issues digital certificates? Certificate Authorities (CAs) such as Let's Encrypt, DigiCert, and Sectigo. For internal use, organizations run their own private CA.
How do I view a certificate's contents?
Use openssl x509 -text, your browser's certificate viewer, or paste the certificate into an online certificate decoder.
Related Reading
Once you can read an X.509 certificate, the entire public-key infrastructure (PKI) behind HTTPS stops feeling like magic and starts looking like a well-organized chain of signatures.