Definition

What is a registration authority (RA)?

By

Rahul Awati
Andrew Froehlich, West Gate Networks

A registration authority (RA) is an entity that is authorized to verify user requests for a digital certificate and also to tell a certificate authority (CA) to issue that certificate to the user. RAs are an important part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely. The digital certificate issued by the CA -- after verification by the RA -- contains a public key that the user can apply to encrypt and decrypt messages and digital signatures.

Understanding the role of a registration authority

The RA cannot create or issue a certificate; this is the sole responsibility of the CA. This segregation of responsibility is important for security purposes. In the PKI system, RAs typically process the following tasks:

Receive user or device certificate requests.
Validate users or devices.
Authenticate users or devices.
Revoke credentials if the certificate is no longer valid.

RAs implement proven business logic and methods to verify users' certificate requests. During verification, they can check the applicant's identity and other information that will be included on the digital certificate.

Once the verification is completed, the RA forwards the certificate request to the CA. The RA provides a signed statement confirming that it completed the user's authentication and has confirmed the user's identity. The CA then validates the RA's message and completes the digital certificate request process. The issued certificate validates the certificate holder's identity (and that it has been certified) and includes the key that will allow the holder to encrypt and decrypt messages in digital communications.

Info box outlining core components of public key infrastructure. — To ensure secure communications and data protection in a networked system, PKI has four core components.

How do RAs work?

When a user or device requests a digital certificate to prove its authenticity in digital communications, a process must be in place to verify the requester's identity. Thus, the requester's first step in this process is to gain permission through a registration authority service.

The requester's certificate request is sent to the PKI's RA to verify that the requester has the right to request the certificate. The RA verifies the user's (or device's) identity and processes authentication credentials. The RA's involvement in the authentication process relieves this burden from the CA, which can then focus on issuing the certificate.

If everything checks out, the RA forwards the certificate request to the CA to process. The CA then issues the digital certificate directly to the requesting user or device. If the RA denies the request, the requester is not permitted to continue the certificate request process. The RA functions as a proxy between the user and the CA.

A successful digital certificate request process happens in the following order:

A user attempting to access a certificate-backed website requests the certificate from the CA. This request is sent to the web server.
The web server forwards the certificate request to the RA.
The RA decides if the user is allowed to receive a certificate.
If the RA grants the request, it is passed to the CA, which generates the digital certificate.
The CA sends the digital certificate directly to the user to complete the certificate issuance process.

What is a local registration authority (LRA)?

A local RA is typically responsible for a local community, such as an organization, a branch, a department or a region. By operating in a smaller, more localized context, LRAs facilitate more nuanced and tailored management of standards compliance. Additionally, the limited focus area of LRAs allows them to be more responsive to the unique needs of the stakeholders within that specific community.

By offloading certain responsibilities to one or more LRAs -- including the preliminary assessment of applications for digital identifiers -- central RAs can more easily distribute and manage those identifiers, and maintain the rigor of the identifier distribution/management process. This is important to ensure that certificate requesting entities properly comply with relevant standards and establish a trusted digital environment. The initial vetting of applications by the LRA also speeds up the final processing of the certificate request by the centralized RA.

LRAs also provide support and guidance to further help entities comply with security standards. Since the LRA understands the local context and challenges, they are better able to troubleshoot and resolve issues, as well as help entities navigate the complexities of compliance. In doing so, LRAs help to not only ensure standards compliance, but also to strengthen the security of the overall digital ecosystem.

What is the difference between certificate authority and registration authority?

A registration authority can be thought of as a gatekeeper to a certificate authority. In order to be issued a certificate, the requesting user or device must first register with the RA and fulfill the necessary requirements, including identity and authentication checks. This comes in the form of a certificate signing request. The checks performed by the RA are critical to verify the requester's identity and, therefore, prevent fraud.

Only after the RA successfully validates the requester's identity can the certificate request be forwarded to the CA. Once the CA receives this request, it is its responsibility to issue the digital certificate to the requesting user or device. This electronic document can be validated against the CA's public key to ensure its validity for use in digital communications and transactions.

The connection between CA, RA and DRA

A registration authority works as a trusted agent or intermediary for the CA to collect the information necessary to verify the identity and other details of a certificate requesting user. The RA's role is to authenticate the identity of a certificate requesting entity, and the CA's role is to accept the RA's request, process it, and issue the certificate to the requester. Both the CA and RA are trusted entities that are crucial to the functioning and security of the digital world.

A delegate registration authority (DRA) acts on behalf of an RA -- although they can also act on behalf of a CA -- to authenticate a requester's identity. They might also be called upon by a CA or RA to revoke an existing certificate.

Managing digital certificates can be tedious and challenging. Learn how certificate automation can help simplify this task.

This was last updated in May 2025

Continue Reading About What is a registration authority (RA)?

Prepare for quantum to fundamentally change PKI effectiveness

Types of PKI certificates and their use cases

The benefits and challenges of managed PKIs

Use these user authentication types to secure networks

Roll out IoT device certificates to boost network security

Dig Deeper on Identity and access management

Search Networking

How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Connectivity kicks in for Sunderland at the Stadium of Light
Sunderland AFC enhances high-demand density connectivity coverage, capacity and performance across stadium involving leading ...
Chinese cyber spooks lure laid-off US government workers
A Washington DC-based think tank has published evidence that Chinese intelligence services have been running a network of digital...
Trump visit bolsters Saudi AI
A new AI datacentre is among the initiatives the White House announced during the president’s Middle East visits

Close