After you know the basic infrastructure of OpenCA you possibly want to know what we think about such things like CA, RA, LDAP and a public interface which is sometimes called webgateway. OpenCA supports all these softwarecomponents via special web interfaces.
Node (for node management)
CA
RA
LDAP
Pub
SCEP
This interface manages the database and handles all the export and import functionalities.
The database can be initialized what means that OpenCA can create all the tables but OpenCA cannot create the database itself because this differs for every vendor. So we need a database with the appropriate accessright and a new database. The interface includes some functions for the backup and recovery of such a node but please bear in mind that you MUST have a seperate backup of the CA's private key and certificate. There is no default mechanism in OpenCA to backup the private key. We don't implement it because first we found no general secure way to backup a private key and second the most CA's use HSMs and therefore you need a completely different and usually proprietary backup strategy.
The export and import will be handled by this interface too. You can configure different rules for the synchronization with nodes on a higher and a lower level of the hierarchy. This includes the configuration of the objects and status which can be exchanged. The configured filters avoid status injections from lower levels of the hierarchy.
The CA interface has all function which you need create certificates and CRLs (Certificate Revocation Lists). The CA includes also all functions which you can use to change the configuration via a webinterface. It is not possible to change the configuration via another webinterface.
The CA is the home of the batchprocessors too. OpenCA includes some powerful batchprocessors to create certificates fullautomatically from ERP-systems (Enterprise Ressource Planning - e.g. SAP, HIS, NIS or /etc/passwd).
OpenCA's RA is able to handle all kinds of requests. This include things like editing requests, approving requests, creating private keys with smartcards, delete wrong requests and email users.
The LDAP interface was implemented to seperate the LDAP management completely from the rest of the software. This is necessary because there are many functions which are really special for LDAP admins too because only a few users need these features.
generates CSRs (certificate signing request) for Microsoft Internet Explorer
generates CSRs for Mozilla 1.1+ and Netscape Communicator and Navigator
generates clientindependent requests and private keys (e.g. for KDE's konqueror or server administrators which don't know how to create a private key and request)
receives PEM-formatted PKCS\#10 requests from servers
enrolls certificates
enrolls CRLs
supports two different methods revocation
search certificates
tests usercertificates in browsers (Microsoft Internet Explorer and Netscape Communicator and Navigator 4.7x)