I have been working through the tutorial at http://pki-tutorial.readthedocs.org/en/latest/
There are a number of things that aren't clear. 1) Am I right in assuming that the various commands in that tutorial can be performed as an ordinary user in a working directory in that user's home directory? Or do they have to be done as user root in /etc/ssl? Or does that depend on the command? If the right answer is the latter, can you tell me which can be performed by a mere mortal and which ought to be done as root in /etc/ssl? 2) One frustration is that the sample config files have neither comment nor even a listing of possible valid values to enter, now what the values provided mean. Am I right in guessing, from some of the examples, that the same client side certificate can be used both for email and for client authorization? If the recipient of a client side certificate is not part of an organization (that the CA cares about), can one enter the client's complete mailing address and phone numebrs, and if so how? Also, while I am not interested in code signing, I am interested in document signing, ideally including both server and client signing a given document that has been presented in the client's browser (the client being permitted at that stage only to accept and sign, or to decline, a document already signed by the server. Can both the server's certificate/key, and the client's certificate/key (this is not yet clear in my mind, but I half suspect it must be the key associated with the certificate that must be used for signing, but the certificate to verify identity) serve both the requirement to verify each party's identity and to sign a document (to provide non-repudiation functionality and to assure both parties tht the document has not been altered once each has signed? Some guidance on this, or a web tutorial on this specific topic would be greatly appreciated. 3) A big one for me is that there is brief mention of registration authorities, and that they may be different from the CA or the CA may be the CA, but there is no information provided as to how or where the registration authority information can be included in the certificates. The particular configuration I am looking to try involves a root CA, a non-root CA, and then multiple registration authorities. Part of the idea, here, is that the entities I envision making registration authorities already do the due diligence required to verify the identities of both server entities and client entities, so it ought to be trivial to add the support for server and client certificates on top of that with modest incremental cost (NB: these guys have to verify identities as part of the due diligence they must do anyway in support of their primary business activity). Some guidance on this, or a web tutorial on this specific topic would be greatly appreciated. One thing I am certain of is that there already exists a trust relationship among the entities I hope to make registration authorities, so the identity of the registration authorities ought not impinge on the acceptability of the certificates produced based on the results of the work done by any of them. But how that would work in the context of creating the CAs I need I do not know. Any guidance on these specific questions would be greatly appreciated. Thanks Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org