Eek, you're right. The certificate contains (at minimum) the subject's name and public key, and can contain arbitrary other stuff in the extensions field, but putting the private key in the certificate would defeat the point of using it to hold the public key. In order to verify with the public key, the signature has to be generated with the private key. I'm trying to come up with a clearer way to say this. This is what I'm currently planning to replace it with:

An X.509 certificate minimally needs to contain the subject's name and that
subject's public key. An issuer is also free to embed arbitrary data into
a certificate in the certificate's extensions field. Extensions are
identified by OID and the data they contain is in a format specific to that
OID.

If it still doesn't read right, well, we can try again until it's right. Thanks for spotting this!

sure. that sounds clear.

Just did a 'git pull' and noticed in 'git log' that checked in the corrected text. Nice.

I can close this ticket if you want me to.

PS:
now I notice: correction to my correction :)

'correction: shouldn't the above be read as : "In addition to the subject's name and that subject's "public" key.." ? ' (I said "private" by mistake in the Description )

Whoops, I should've closed this when the release that included the fixed text (0.17) was tagged.