Version, Serial, Algorithm ID and Validity. Version - Indicates X.509 version. Should be 3 (value 0x2). Serial - Unique positive integer assigned by the CA to each certificate. Algorithm ID - Must be the same as the field 'Certificate Signature Algorithm'. Validity - Two dates that form the period when the certificate is valid.
An is an integer whose value can be represented in 20 bytes ('or less', because Distinguished Encoding Rules (DER) say you omit any unnecessary leading 0x00 bytes (it's necessary if it changes from a negative to positive number, or if it's the number 0). (0x985ae83a6b9e477f) If you go to a website that does big number conversions, such as you'll see that 985ae83a6b9e477f (hex) is equal to (decimal). The DER encoded value of this number is 02 09 00 98 5a e8 3a 6b 9e 47 7f 0eaa20f53cacdcaa40fbde51ab50c7d1 This number (DER 02 10 0e aa 20 f5 3c ac dc aa 40 fb de 51 ab 50 c7 d1) is equivalent to the decimal value 38016465. Assuming the same software displayed both renderings, like OpenSSL, the difference in whether or not it displays in both decimal and hex likely has to do with the length of the serial number. For OpenSSL the cutoff is 8 content (non-0x00) bytes: Since 0x985ae83a6b9e477f fits into an unsigned long, OpenSSL prints it as a decimal value for user convenience.
I have problems to understand what is the difference between the serial number of a certificate and its SHA1 hash. The MSDN says: Serial number A number that uniquely identifies the certificate and is issued by the certification authority. So can I identify a certificate by its serial number, right? Wikipedia says for the hash: Thumbprint: The hash itself, used as an abbreviated form of the public key certificate.
So the hash identifies the (e.g. In a, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).
The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet).
A on SHA-1 has now been demonstrated by researchers from CWI and Google. (The thumbprints you show appear to consist of 40 hexadecimal characters, i.e. 160 bits, which again points at SHA-1 as the plausibly used hash function.).