I have been working through a tutorial that talks about the use of openssl, creating root, intermediate, and signing CAs. While the front page mentions RAs, it says nothing about how they fit, as one is creating CAs, and crts. The only thing that it says is that an RA may be the same as a CA. But what, precisely, does that mean? And, it says nothing about how to proceed if the RA is NOT the same organization as the CA. When actually using openssl to make certificates, and the RA is a different organization from the CA, is the RA functionally just as a signing CA?
Please consider the following case. - there is one root CA - there is one RA specializing in server identities - organization A - there are three different RAs specializing in client identities - organizations X, Y, and Z - servers that have used the services of organization A will accept only client side certificates for people whose identities have been verified by organizations X, Y, or Z Am I right in assuming that in this case, organizations A, X, Y, and Z will all function as signing CAs, using certificates signed by the root CA, and that if, say, Apache's web sever has the root CA's CRT, as well as the right server key and crt, that it will then accept connections from clients that have certificates signed by organizations X, Y, or Z? On the question of making client side crtificates, is it possible to make the user using that certificate enter a password the first time the certificate is used in a given session on a given server, or is the requirement for use of decent login credentials a matter of displaying a login page only to those users that present an acceptable certificate, and proper session management after that? Thanks Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
