What is a RA ?

A Registration Authority (RA) is used to enroll new users into a PKI. It provides the organization with an option of separating the enrollment (subscription) process from the certificate issuance process.

RAs are responsible for vetting certificate requests. Once approved, the certificate request is sent to the CA. The CA creates the requested digital certificate. Either the CA or the RA may distribute digital certificates to the user.

An RA is an entity dedicated to user registration and accepting requests for certificates. The RA is an optional component in the PKI. In general, the CA can delegate management functions to the RA. For example, the RA may perform personal authentication tasks, report revoked certificates or archive key pairs.

Generally, RAs are optional and many CAs perform these same tasks. Some PKI products don't use separate CA and RA components.

In a distributed environment, RAs can be useful in creating implementations that are more scalable since they allow organizations to distribute functionality across the network. RAs can operate on an extended network, operating under the control of a single CA. Using RAs in this manner can also introduce some complexity within the architecture as each RA must be certified and trusted by the (root) CA.

Functions

An RA supports these functions:

  • Accepting and verifying registration information about new users.
  • Generating keys on behalf of end users.
  • Accepting and authorizing requests for key backup and recovery.
  • Accepting and authorizing requests for certificate revocation.
  • Distribution or recovery of hardware devices such as tokens.
An RA is more or less a convenience for end users, it acts as an intermediate entity between the CA and the end users, assisting the CA in commons certificate processing functions. It makes sense when there is a large number of end users within a distributed organization. A CA can delegate the authority to accept registration information to a local RA, this also allows it to operate offline and increase security of the PKI.