X.509 certificates establish trust between a client and a server
to establish an SSL connection. A client attempting to authenticate
a server (or a server authenticating a client) knows the structure
of the X.509 certificate and therefore knows how to extract identifying
information about the server from fields within the certificate,
such as the FQDN or IP address (called a
common name or
CN within
the certificate) or the name of the organization, department, or
user to which the certificate was issued. A certificate authority
(CA) must issue all certificates. After the CA verifies a client
or server, the CA issues the certificate and signs it with a private key.