This information has many uses. For example, if a certificate is revoked, its serial number is placed in the Certificate Revocation List (CRL). The signing algorithm identifier identifies the algorithm used by the CA to sign the certificate. Issuer Name The X.500 name of the entity that signed the certificate. It is usually a CA. Using this certificate means trusting the entity that signed the certificate (note: in some cases (such as root or top-level CA certificates) the issuer signs its own certificate). Validity PeriodEach certificate is only valid for a limited period of time. The validity period is expressed as a start date and time and an end date and time, and can be as short as a few seconds or as long as a century. The validity period chosen depends on many factors, such as how often the private key used to sign the certificate is used and how much money you are willing to pay for the certificate. It is the estimated time that an entity can rely on a public key value without compromising the associated private key. A subject name certificate identifies the entity name whose public key can be identified. This name uses the X.500 standard and should therefore be unique across the Internet. It is the distinguished name (DN) of the entity, for example, CN=Java Duke, OU=Java Software Division, O=Sun Microsystems Inc, C=US (these refer to the entity's common name, organizational unit, organization, and country). Subject public key information This is the public key of the named entity, and includes the algorithm identifier and all related key parameters that specify the public key cryptosystem to which the key belongs. X.509 version 1 has been available since 1988, is widely used, and is the most commonly used version. X.509 version 2 introduced the concept of subject and issuer unique identifiers to address the issue of subject and/or issuer names potentially being reused over time. Most certificate monitoring documentation strongly discourages reuse of subject or issuer names and recommends that certificates not use unique identifiers. Version 2 certificates are not yet widely used. X.509 version 3 is the latest version (1996). It supports the concept of extensions, so anyone can define extensions and include them in a certificate. Commonly used extensions today include: KeyUsage (restricts the use of the key for special purposes, such as "sign only") and AlternativeNames (allows other identities to be associated with the public key, such as DNS names, email addresses, IP addresses). Extensions can be marked as "critically important" to indicate that the extension should be checked and enforced or used. For example, if a certificate has the KeyUsage extension marked as "critically important" and set to "keyCertSign", the certificate will be rejected when present during SSL communication because the certificate extension indicates that the associated private key should only be used for signing certificate and should not be used for SSL. All data in the certificate is encoded using two related standards called ASN.1/DER. Abstract Syntax Notation 1 describes the data. Deterministic encoding rules (DER) describe the only way to store and transmit data. Some people call this combination "powerful and flexible", others call it "vague and clumsy".