I am experiencing some PKI comprehension issues:

1) When one talks about creating the "Trusted Root CA" is this different
from the "Signing CA"?
a. The Trusted Root CA's private key is hidden away from the world
(not on an internet accessible disk)
b. The signing CA does all the "real work"? By this I mean, is the
"Signing CA" now used to sign client certs, and other servers certs such
as SMTP, HTTP, RADIUS, SSL-VPN solution, etc.? Basically the Trusted
Root CA, has intermediary CAs do all the work?
c. Am I looking at a forest and planting an unnecessary trees? By
this I mean, what is the better practice, having the Trusted Root CA do
the signing of all certs, or attempting to establish this Trusted Root
CA - Signing CA - hierarchy? RFC 1422 seems to desire a CA hierarchy,
while RFCs 2459 and 3280 seem to argue that with x509v3 it is uncessary
- ack!?!

2) Is the file index.txt (and the associated brethren), given question 1
above, related to the Signing CA or the Trusted Root CA?
a. Should index.txt contain the serial number and cert of the
Trusted Root CA OR the serial number of the Signing CA?
b. Should the Signing CA (and any other intermediary CA) have its
own cert database?

3) Is there a How To, that is considered a definitive resource on the
matter, that discusses using OpenSSL to build out a RFC compliant PKI
hierarchy for someone who is sleep deprived due to an infant?
a. I have created CAs in the past and gotten plenty of this to work,
but now that I have to try to due a true PKI environment, I realize I
have more questions than knowledge.
__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager