CA Organisation 
---------------

The Perl scripts in the cgi-bin and scepd directories implement CA
functions. The use a directory layout similar to what the OpenSSL
demoCA uses. Inside the top level data directory fixed during
configure time, usually /usr/local/lib/openscep, the following files
and directories are found

	serial.txt	serial number of most recently issued certificate
	cacert.pem	CA certificate
	certs/		certificates issued by this CA, by serial number
	scepcerts/	certificate issued by this CA, by transaction id
			which must be the key fingerprint (symbolic links)
	pending/	pending requests
	granted/	requests granted
	rejected/	requests rejected
	revoked/	stores certificates revoked by the CA

When a request for a certificate comes in, it is stored in the pending
directory. The CGI-program authorize.pl shows a list a pending requests
and offers the user the opportunity to grant or deny the request. The
same program then either issues the certificate using standard openssl
functions or moves the request to the reject directory. A program answering
a SCEP client's request for the certificate can thus simply check the
reject directory for an entry matching the request. The same is true
for certificates: after certificates have been granted, they are stored
in the directory certs, linked from scepcerts and stored in the LDAP
directory.

In particular, the CA operations do the following:

1. Enrollment request (PKCSReq SCEP request)

	- adds a PKCS10 request to the directory pending
	- adds a description of the SCEP requests (transaction id, nonces,
	  etc) to the pending directory

2. Certificate grant (From CGI)

	- creates the certificate, stores it under the serial number in
	  the directory /certs
	- creates a link with the name of the transaction id (key finger-
	  print) in scepcerts
	- moves the request and the description file to the granted/
	  directory
	- stores the certificate in the LDAP directory

3. Certificate reject (From CGI)

	- moves the request to the rejected/ directory
	- a cron job cleans out old requests from this directory

4. GetCertInitial request (SCEP Request)

	- looks in rejected/ whether request has been rejected
	- looks in scepcerts/ whether request has been granted
	- returns certificate to caller

5. GetCert request (SCEP Request)

	- looks in granted/ whether this certificate exists
	- returns certificate if found

6. Certificate revocation (From CGI)

	- marks the certificate as revoked in index.txt
	- rebuilds the CRL
	- stores the new CRL in the LDAP directory

--
$Id: CA,v 1.3 2001/03/05 17:47:07 afm Exp $