After you know the basic infrastructure of OpenCA you possibly want to know what we think about such things like CA, RA, LDAP and a public interface which is sometimes called web-gateway? OpenCA supports all these software components via special web interfaces.
If you want to design a powerful trustcenter then you must have a concept about how you want to organize your work flow. You can see an example in the following figure.
OpenCA actually supports the following interfaces:
Node (for node management)
CA
RA
LDAP
Pub
SCEP
This interface manages the database and handles all the export and import functionalities.
The database can be initialized what means that OpenCA can create all the tables but OpenCA cannot create the database itself because this differs for every vendor. So we need a database with the appropriate access rights and a new database. The interface includes some functions for the backup and recovery of such a node but please bear in mind that you MUST have a separate backup of the CA's private key and certificate. There is no default mechanism in OpenCA to backup the private key. We don't implement it because first we found no general secure way to backup a private key and second the most CA's use HSMs and therefore you need a completely different and usually proprietary backup strategy.
The export and import will be handled by this interface too. You can configure different rules for the synchronization with nodes on a higher and a lower level of the hierarchy. This includes the configuration of the objects and status which can be exchanged. The configured filters avoid status injections from lower levels of the hierarchy.
The CA interface has all the functions which you need to create certificates and Certificate Revocation Lists (CRLs). The CA also includes all the functions which you can use to change the configuration via a web interface. It is not possible to change the configuration via another web interface.
The CA is the home of the batch processors too. OpenCA includes some powerful batch processors for creating certificates. These batch processors can be used for automatic certificate creation from various Enterprise Resource Planning (ERP) systems (e.g. SAP, HIS, NIS or /etc/passwd).
OpenCA's RA is able to handle all kinds of requests. This include things like editing requests, approving requests, creating private keys with smart cards, delete wrong requests and email users.
The LDAP interface was implemented to separate the LDAP management completely from the rest of the software. This is necessary because there are many functions which are really specific for LDAP admins, with only a few users needing these features.
The Public interface includes all the small things which the users need. This is only a small list and perhaps it is incomplete
generates CSRs (certificate signing request) for Microsoft Internet Explorer
generates CSRs for Mozilla 1.1+ and Netscape Communicator and Navigator
generates client independent requests and private keys (e.g. for KDE's konqueror or server administrators who don't know how to create a private key and request)
receives PEM-formatted PKCS\#10 requests from servers
enrolls certificates
enrolls CRLs
supports two different methods revocation
search certificates
tests user certificates in browsers (Microsoft Internet Explorer and Netscape Communicator and Navigator 4.7x)