diff --git a/x509/src/certificate.rs b/x509/src/certificate.rs
index 98b8c711d..9c18c610a 100644
--- a/x509/src/certificate.rs
+++ b/x509/src/certificate.rs
@@ -1,14 +1,37 @@
 //! Certificate [`Certificate`] and TBSCertificate [`TBSCertificate`] as defined in RFC 5280
 
 use der::asn1::{BitString, ContextSpecific, ObjectIdentifier, UIntBytes};
-use der::{Sequence, TagMode, TagNumber};
+use der::{Enumerated, Sequence, TagMode, TagNumber};
 use spki::{AlgorithmIdentifier, SubjectPublicKeyInfo};
 use x501::name::Name;
 use x501::time::Validity;
 
-/// only support v3 certificates
+/// Certificate `Version` as defined in [RFC 5280 Section 4.1].
+///
+/// ```text
 /// Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
-pub const X509_CERT_VERSION: u8 = 2;
+/// ```
+///
+/// [RFC 5280 Section 4.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1
+#[derive(Clone, Debug, Copy, PartialEq, Eq, Enumerated)]
+#[asn1(type = "INTEGER")]
+#[repr(u8)]
+pub enum Version {
+    /// Version 1 (default)
+    V1 = 0,
+
+    /// Version 2
+    V2 = 1,
+
+    /// Version 3
+    V3 = 2,
+}
+
+impl Default for Version {
+    fn default() -> Self {
+        Self::V1
+    }
+}
 
 /// X.509 `TBSCertificate` as defined in [RFC 5280 Section 4.1.2.5]
 ///
@@ -39,7 +62,7 @@ pub const X509_CERT_VERSION: u8 = 2;
 pub struct TBSCertificate<'a> {
     /// version         [0]  Version DEFAULT v1,
     //#[asn1(context_specific = "0", default = "Default::default")]
-    pub version: u8,
+    pub version: Version,
     /// serialNumber         CertificateSerialNumber,
     pub serial_number: UIntBytes<'a>,
     /// signature            AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgorithms}},
diff --git a/x509/tests/certificate.rs b/x509/tests/certificate.rs
index f36b2d9e4..60f0ba101 100644
--- a/x509/tests/certificate.rs
+++ b/x509/tests/certificate.rs
@@ -194,7 +194,7 @@ fn decode_cert() {
     let result = Certificate::from_der(der_encoded_cert);
     let cert: Certificate = result.unwrap();
 
-    assert_eq!(cert.tbs_certificate.version, 2);
+    assert_eq!(cert.tbs_certificate.version, Version::V3);
     let target_serial: [u8; 16] = [
         0x7F, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x49, 0xCF, 0x70, 0x66, 0x4D, 0x00, 0x00, 0x00,
         0x02,
diff --git a/x509/tests/pkix_extensions.rs b/x509/tests/pkix_extensions.rs
index 5f15382fa..d97ae25fc 100644
--- a/x509/tests/pkix_extensions.rs
+++ b/x509/tests/pkix_extensions.rs
@@ -601,7 +601,7 @@ fn decode_cert() {
     let result = Certificate::from_der(der_encoded_cert);
     let cert: Certificate = result.unwrap();
 
-    assert_eq!(cert.tbs_certificate.version, 2);
+    assert_eq!(cert.tbs_certificate.version, Version::V3);
     let target_serial: [u8; 1] = [2];
     assert_eq!(
         cert.tbs_certificate.serial_number,