Key Fields
version: must be v3 (integer 2) if extensions are present
serialNumber: must be unique per CA; recommended 20 bytes of random (RFC 5280 §4.1.2.2)
signature vs signatureAlgorithm: must match; the outer signatureAlgorithm and inner signature field must contain identical values
issuer / subject: Distinguished Names, e.g.:
C=US, O=Amazon, CN=Amazon Root CA 1
validity: UTCTime or GeneralizedTime
- UTCTime: years 1950–2049 (
YYMMDDHHMMSSZ)
- GeneralizedTime: years outside that range (
YYYYMMDDHHMMSSZ)