[Users] TLS - certificate infrastructure

Hi everybody, I want to test openser 0.10.x and its TLS capabilities. Therefore I plan to install two proxies, sip.atlanta.com and sip.biloxi.com. Two users, alice(a)atlanta.com and sip.biloxi.com, should communicate over the two proxies secured by TLS. The UAs are snom360 phones. ------------------- ----------------- ----------------- ----------------- | alice(a)atlanta.com | <-------> | sip.atlanta.com | <-------> | sip.biloxi.com | <-------> | bob(a)biloxi.com | ------------------- ----------------- ----------------- ----------------- Mutual authentication should take place between the UAC and the outbound proxy, the two proxies and between the inbound proxy and the UAS. The problem is that I am not sure about the organisation of the certificate's infrastructure. I don't know which would be the best solution to implement. So please look at my suggestions and feel free to you make your comments. 1.. user certificate for alice(a)atlanta.com 2.. server certificate for sip.atlanta.com 3.. server certificate for sip.biloxi.com 4.. user certificate for bob.biloxi.com The root certificate is self signed (Does this work with openser?) a.) One common CA (=root) signs all components. ----------- | CA | ----------- / / \ \ / / \ \ / | | \ --- --- --- --- |1| |2| |3| |4| --- --- --- --- b.) Tow separate CAs (= each one's root) sign their proxy and UA. Mutual import of the other domains root certificate takes place. ----- ----- |CA A | |CA B | ----- ----- / \ / \ --- --- --- --- |1| |2| |3| |4| --- --- --- --- c.) One common root signs two CAs which sign their proxy and UA. ----------- | root-cert | ----------- / \ / \ ----- ----- |CA A | |CA B | ----- ----- / \ / \ --- --- --- --- |1| |2| |3| |4| --- --- --- --- Thank you very much for your help! regards, Philipp