> What is the use of RA certificates? > What is the purpose of key usage extension values in CA or RA certificates? Since nobody else has commented, I'll toss out my ignorance for all to mock... :-)
If you have both a RA and CA then the RA usually handles the question of whether you should get a cert and what policies apply to it, while the CA handles publishing it to the world. As a concrete example, the RA may be run by the HR department, and it determines whether you're an employee or not, whether you're a manager or not, etc., and it then hands it off to Verisign (CA) to manage. Or it may be a schools registar (is this an undergrad student? a grad student? a faculty member?), and it hands it off to a CA run by the university IT group. Anyway, in a case like this one way to handle the RA->CA traffic is for the RA to sign certs that it approves, and then the CA re-signs them with the published CA certs. The RA needs to be able to sign certs, but you really want everyone to use the certs published by the CA, not the RA. Hence the usage restrictions. Hope this helps.... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
