Hi, I defined a PKI structure as following, 1. self signed CA. 2. CA signed ORAs. ORA cert is signed by CA and itself has the CA capability. 3. user generates Cert request to one of ORAs. 4. ORA does the checking and signs the Req to generate a Cert, then submits the user Cert to CA by secure ways. 5. CA verify the user Cert Signature chains, if OK, then remove the ORA's Signature and re-sign the user's pubkey to generate the final user Cert. 6. CA return the Cert to ORA, ORA return the Cert to user. This require a new option "-user_cert certfile" to ca.c program, which is close to the "-ss_cert" option but the cert is not self signed as "-ss_cert" option is. The Ca program should do the verify work as verify.c provided (may just copy the code), then call X509_to_X509_REQ to get the cert request, then sign it. Currently ca.c does not have the renew ability, this option can be used to do so, I don't have a final idea how to make a renew request, so leave it to the main developers to consider. === With Regards Wu Zhigang email: [EMAIL PROTECTED] pager: 92670830 office: 4237026 _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
