Hi Ted, I think there are two different approaches to your question: One is with a single CA which will sign all certificates. Some CA software packages include mechanisms to automatically sign certificate requests coming in (that would be on the main CA). The RA's are web-applications where users can submit their requests and where an RA operator checks the requests, and passes them after verifying the identity of the user to the CA, which then would automatically issue the certificate. As an alternative, there may also be a CA operator, who again reviews the requests passed from all the RA's before he signs them.
The other approach is that the main CA issues sub-CA certitifcates which in turn can be used to sign the user requests. Here, the RA's are again the web interfaces where the users submit their requests, but signing them happens "locally" in a kind of backend application on each of the RA's. Verifying user certificates issued this way is a bit more tricky, because all certificates of the chain (including the one of the Sub-CA) have to be passed to openssl. Also your server software must be able to handle different issuers (which is not always the case). However, when you talk about intermediate and signing CAs I guess the tutorial refers to this solution rather than the first one. best regards, Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
