I apologize in advance if this has been already thoroughly answered elsewhere, so please point me to a link if that's the case. I'm under the impression that OpenSSL isn't a scalable solution for managing a PKI for a large number of clients (10,000+) since it's primarily a crypto library and there aren't any real tools for managing certificates.

I only have a superficial understanding of certificates / asymmetric crypto / hashes / signatures, etc.. However, I read some old articles which mentions that it doesn't compare with other PKI management solutions (Red Had Certificate System?). Why is this so? Can one not set up scripts for making revocations, CSR generations, signing, etc. easier?

My plan is to build a root CA, create some intermediary signing CAs, then offline the root for security. I'm assuming that's a common implementation.

Sorry for the ignorance on my part. Thanks for any help you can lend.