OpenCA has a very private key centric workflow idea. This means that all objects which deal with the same public/private key should be connected to each other. The reason is that the most dangerous event is a key compromise. If only a single certificate is wrong then we have no problem but if a key is compromised then all requests and certificates which are connected to this key are affected.
Sometimes there is a confusion about the status of OpenCA objects. In the following figure you can check here the complete life cycle of all OpenCA objects. If this figure is not complete, or if you find a mistake or you don't understand something then please contact openca-users@lists.sf.net
