What are X.509 certificates and how do they enable trust?

X.509 certificates are a standard format established by the International Telecommunications Union, a branch of the UN. The certificate recommendation defines the framework for PKI and privilege management infrastructure (PMI) and establishes the protocols for asymmetric cryptographic techniques and how certificates are managed.

To work securely, both parties in the exchange must trust each other’s identity. The X.509 certificate protocol is introduced as the certificate is the digital proof, signed by a trusted certificate authority (CA), that the user’s identity is valid.

Technically it is possible for a user to self-sign their certificate rather than being issued it by a CA. However, most browsers and networks have deprecated the use of self-signed certificates due to their potential to be fraudulent. 

The root certificate, or CA certificate, is the primary certificate of trust used by the CA to sign all other certificates. The certificate trust chain must be the final certificate in the trust store (as the chain leads back to this).