Hi Ted,
I think there are two different approaches to your question: One is with
a single
CA which will sign all certificates. Some CA software packages include
mechanisms
to automatically sign certificate requests coming in (that would be on
the main CA).
The RA's are web-applications where
I have been working through a tutorial that talks about the use of
openssl, creating root, intermediate, and signing CAs. While the
front page mentions RAs, it says nothing about how they fit, as one is
creating CAs, and crts. The only thing that it says is that an RA may
be the same as a CA.