X.509 is part of the hierarchial X.500 standard and thus assumes a strict hierarchial system of certificate authorities (CAs) for issuing the certificates. This is in contrast to web of trust models, like PGP, where everyone may sign the keys of others. The X.500 system have never been fully implemented, so the IETF's public-key infrastructure working group have made extensive updates to the standard in order to make it work with the more loose organization of the Internet. In fact today X.509 certificate usually refers to the X.509 v3 certificate specified in RFC2459.
In the X.509 system, a CA issues a certificate binding a public key to a particular name. This name is supposed to be the Distinguished Name defined by X.500. However as no real implementation of this standard exists, the binding is more usually between a public key and an e-mail address or a DNS-entry.
Root certificates can be issued to all employees by an organisation so that all employees can use the company PKI system. Browsers such as Microsoft Internet Explorer, Netscape/Mozilla and Opera come with root certificates pre-installed, so SSL certificates from larger vendors who have paid for the privilege of being pre-installed will work instantly; in essence the browser's programmers determine which CAs are trusted third parties. Whilst their root certificates can be disabled, users rarely do it.
X.509 also includes standards for Certificate Revocation List implementations, an often overlooked necessity.
Structure of a X.509 v3 digital certificate: