registration authority (RA)

What is registration authority (RA)?

A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely. The digital certificate contains a public key that is used to encrypt and decrypt messages and digital signatures.

While the RA cannot create or issue a certificate -- as this is the sole responsibility of the CA -- it works as an intermediary for the CA to collect necessary information and to process the following tasks:

  • receive user or device certificate requests;
  • validate users or devices;
  • authenticate users or devices; and
  • revoke credentials if the certificate is no longer valid.

The main purpose of an RA is to ensure that a user or device is allowed to request a digital certificate from a specific website or application. If the request is allowed, the RA forwards the certificate request to the CA, which completes the digital certificate request process.

core components of public key infrastructure

How do RAs work?

When a user or device requests a digital certificate to fulfill secure access to a website or application, a process must be in place to ensure the requestor is allowed access. Thus, the requester's first step in this process is to gain permission through a registration authority service.

The certificate request is sent to the PKI's RA to verify that the requestor has the right to request the certificate. The RA verifies the identity of the user and device and processes authentication credentials. If everything checks out, the RA forwards the certificate request to the CA to process. The CA then issues the digital certificate directly to the requesting device. If the RA denies the request, the requesting user or device is not permitted to continue the certificate request process.

A successful digital certificate request process happens in the following order:

  1. A user attempting to access a certificate-backed website requests the certificate from the CA. This request is sent to the web server.
  2. The web server forwards the certificate request to the RA. The RA ensures the user is allowed to receive a certificate.
  3. If the RA grants the request, it is passed to the CA, which generates the digital certificate.
  4. The CA sends the digital certificate directly to the user to complete the process.
Digital request process for requesting device
This image shows the steps in the digital certificate request process.

What is the difference between certificate authority and registration authority?

A registration authority can be thought of as a gatekeeper to a certificate authority. In order to be issued a certificate, the requesting user or device must first register with the RA and fulfill the necessary requirements, including identity and authentication checks. This comes in the form of a certificate signing request.

Requests that are successfully registered by the RA are then forwarded to the CA, whose responsibility is to issue an electronic document called a certificate. This certificate is issued to the requesting user or device. The issued certificate can be validated against the CA's public key to ensure that the certificate is indeed valid and that the connection to the remote resource is trusted.

Managing digital certificates can be tedious and challenging as, on average, each employee in an organization is responsible for at least three certificates. Learn how certificate automation can help simplify this task.

This was last updated in December 2021

Continue Reading About registration authority (RA)

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing