============================================================================       Open Certification Authority - Open Source Project        (c) 1999 by Massimiliano Pala and OpenCA Group                      All Rights Reserved============================================================================1. General Structure Overview=============================As the structure is thought layered, it's not so simple to understand therole of every Server.A simple overview can be this:       _______                                 _______      |       |  (a)                          |       |      |   1   |========||                     |   2   |      |_______| __                            |_______|       /  |       \      /   |   ...  \  (b)     /    |         \   _/_   ___        _\_  |   | |   | ...  |   |   | 1'| | 2'| ...  | N'|  |___| |___|      |___| Legend:	(1) Registration Authority Server;	(2) Certifiction Authority (Stand Alone Computer);	(a) Connection to the Internet;	(b) Connection Client/Server (RAs/RA Server (1));	(1',2', ... ,N') Registration Authorities (RAs)2. The Servers==============Here it is how it works. The CA (2) Computer is the most important:on it it is istalled the ca software and the CA SECRET KEY. Becauseof it's security needs, we think it must be left disconnected by anynetwork (this is the only way to protect a computer from networkattacks(!!!)) and file tranfers (Requests/Certificates/CRLs/etc...)with other computers get executed via removable support( i.e. floppy/rw/etc...).The RA Server is a bit more complicated. It has a secure (with clientauth turned on) apache server installed. Services offered only to RAspermit to approve/reject requests BEFORE they get signed by the CA.On the RA Server there is also an LDAP server (for certificatesavailability).There is another Web server (Secure Server) that is used by the normalusers to make certificate requests, import CA Certificate, import requestedcertificates and import other users' certs. You can activate this serveron the same machine of the RA Server: this can save a litte work and is thecurrently adopted choice. 3. What are those RAs ?=======================An RA is a coputer connected to the Network with a Netscape installed:to correctly communicate with the RAServer, you also need a certificatein the .p12 format.RAs have the task to verify the identity of the subject in the CertRequest (by examinating ID card when the subject comes to RAs foridentifying himself) and get them ready for export to the CA (byremovable support... ). All communications betweens RAs and RAServer are set trought Secure Web Session (Apache+mod_ssl)(b). Youcan have as many RAs as you want, just issue the needed RAs certsfor the RA operators: one CA can serve, in this way a wide localarea. (NOTE that (b) connections can be made over the internet).(NOTE2: racertificates are issued through scrips in the bin/ dirreqcert.bin and racert.bin => generated certs are in .p12 formatand can be imported directly into the RA's Netscape).4. Why this structure ?=======================This is because we needed a CA structure that is able to issue certssurely asserting that the subject is the one who declares himself tobe and that should have less security risks as possible.5. How does it works ?======================When a user request a certificate, he connects with Netscape to theSecure Server (Web with no client authentication for simple users) andsends the request that is stored on the server. Then the user haveto identify himself to one of the RAs across the region (the onehe likes best) and that RA will process the Request getting it readyfor Signing by the CA (connecting to the RA Server with Netscape).Now an operator exports on a removable support the requests, goesto the CA ( use this computer only to do CA functions, it mustbe ULTRA-SECURED, so it's not a bad idea to keep it in a access-logged room) imports on it the requests and uses the developedtools (again a simple apache server (local) and Netscape arethe interfaces while Perl programs and OpenSSL do the hard work)to issue/revoke certs, issue CRLs, and so on... Done all theissuing operations, he than export the issued certs on theremovable media and (after havnig shut the CA down...) goesto the RA Server.Now the RA Server imports the new certificates from the removablemedia and put them on LDAP, ecc...============================================================================       Title: OpenCA Structure		Refer to: www.openca.org      Author: Massimiliano Pala		e-mail: madwolf@openca.org     Version: 0.2.1 Last Modify: 21 Aug 1999		OpenCA Project Documentation============================================================================