In principle, you want certificate request and fulfillment processing to occur within a single session (see "Growing A Tree Of Trust -- Part Two" for an example). Doing so precludes the presence of automated processing that can obtain credentials from requesters, check them against legacy systems, and forward the results to the CA along with the data that you want contained in the certificate. If you choose to perform this work off-line or in batch mode, certificate requests must operate under the following process:

1. Requester enters their request on the CA-supplied interface and terminates their secure session
2. Credentials are forwarded to the RA for batch or off-line verification
3. RA verification results are returned to the CA system
4. CA initiates post-processing
5. Requester of approved request receives an e-mail message from the CA instructing them what to do
6. Requester re-establishes a secure session with the CA
7. Requester again proves their identity to satisfy the CA
8. Requester downloads and stores their new certificate

In the absence of online RA functionality, no other scenario is possible. This illustrates why the APIs into the CA systems are critical to PKI success. On small volumes, perhaps a manual RA function will work fine, but it will not scale up as certificate popularity increases. Furthermore, there''s no short cutting the process -- doing so requires relinquishing some control over your internal corporate data. Extra careful thought is required here...

CAs will also expect from you a high degree of technical readiness for certificate uses. This often requires robust directory services like LDAP and interfaces to systems that support digital certificates as an alternative to user ids and passwords. If you intend to use SmartCards (See SmartCards For Smarter E-commerce), you''ll further need capable devices on all PCs that support system access.

Remember -- what you''re truly building here is an infrastructure from the ground up -- don''t try to find shortcuts!