A Registration Authority (RA) is used to enroll new users into a PKI. It provides the organization with an option of separating the enrollment (subscription) process from the certificate issuance process.
RAs are responsible for vetting certificate requests. Once approved, the certificate request is sent to the CA. The CA creates the requested digital certificate. Either the CA or the RA may distribute digital certificates to the user.
An RA is an entity dedicated to user registration and accepting requests for certificates. The RA is an optional component in the PKI. In general, the CA can delegate management functions to the RA. For example, the RA may perform personal authentication tasks, report revoked certificates or archive key pairs.
Generally, RAs are optional and many CAs perform these same tasks. Some PKI products don't use separate CA and RA components.
In a distributed environment, RAs can be useful in creating implementations that are more scalable since they allow organizations to distribute functionality across the network. RAs can operate on an extended network, operating under the control of a single CA. Using RAs in this manner can also introduce some complexity within the architecture as each RA must be certified and trusted by the (root) CA.
An RA supports these functions: