Definition

What is a registration authority (RA)?

A registration authority (RA) is an entity that is authorized to verify user requests for a digital certificate and also to tell a certificate authority (CA) to issue that certificate to the user. RAs are an important part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely. The digital certificate issued by the CA -- after verification by the RA -- contains a public key that the user can apply to encrypt and decrypt messages and digital signatures.

Understanding the role of a registration authority

The RA cannot create or issue a certificate; this is the sole responsibility of the CA. This segregation of responsibility is important for security purposes. In the PKI system, RAs typically process the following tasks:

  • Receive user or device certificate requests.
  • Validate users or devices.
  • Authenticate users or devices.
  • Revoke credentials if the certificate is no longer valid.

RAs implement proven business logic and methods to verify users' certificate requests. During verification, they can check the applicant's identity and other information that will be included on the digital certificate.

Once the verification is completed, the RA forwards the certificate request to the CA. The RA provides a signed statement confirming that it completed the user's authentication and has confirmed the user's identity. The CA then validates the RA's message and completes the digital certificate request process. The issued certificate validates the certificate holder's identity (and that it has been certified) and includes the key that will allow the holder to encrypt and decrypt messages in digital communications.

Info box outlining core components of public key infrastructure.
To ensure secure communications and data protection in a networked system, PKI has four core components.

How do RAs work?

When a user or device requests a digital certificate to prove its authenticity in digital communications, a process must be in place to verify the requester's identity. Thus, the requester's first step in this process is to gain permission through a registration authority service.

The requester's certificate request is sent to the PKI's RA to verify that the requester has the right to request the certificate. The RA verifies the user's (or device's) identity and processes authentication credentials. The RA's involvement in the authentication process relieves this burden from the CA, which can then focus on issuing the certificate.

If everything checks out, the RA forwards the certificate request to the CA to process. The CA then issues the digital certificate directly to the requesting user or device. If the RA denies the request, the requester is not permitted to continue the certificate request process. The RA functions as a proxy between the user and the CA.

A successful digital certificate request process happens in the following order:

  1. A user attempting to access a certificate-backed website requests the certificate from the CA. This request is sent to the web server.
  2. The web server forwards the certificate request to the RA.
  3. The RA decides if the user is allowed to receive a certificate.
  4. If the RA grants the request, it is passed to the CA, which generates the digital certificate.
  5. The CA sends the digital certificate directly to the user to complete the certificate issuance process.

What is a local registration authority (LRA)?

A local RA is typically responsible for a local community, such as an organization, a branch, a department or a region. By operating in a smaller, more localized context, LRAs facilitate more nuanced and tailored management of standards compliance. Additionally, the limited focus area of LRAs allows them to be more responsive to the unique needs of the stakeholders within that specific community.

By offloading certain responsibilities to one or more LRAs -- including the preliminary assessment of applications for digital identifiers -- central RAs can more easily distribute and manage those identifiers, and maintain the rigor of the identifier distribution/management process. This is important to ensure that certificate requesting entities properly comply with relevant standards and establish a trusted digital environment. The initial vetting of applications by the LRA also speeds up the final processing of the certificate request by the centralized RA.

LRAs also provide support and guidance to further help entities comply with security standards. Since the LRA understands the local context and challenges, they are better able to troubleshoot and resolve issues, as well as help entities navigate the complexities of compliance. In doing so, LRAs help to not only ensure standards compliance, but also to strengthen the security of the overall digital ecosystem.

What is the difference between certificate authority and registration authority?

A registration authority can be thought of as a gatekeeper to a certificate authority. In order to be issued a certificate, the requesting user or device must first register with the RA and fulfill the necessary requirements, including identity and authentication checks. This comes in the form of a certificate signing request. The checks performed by the RA are critical to verify the requester's identity and, therefore, prevent fraud.

Only after the RA successfully validates the requester's identity can the certificate request be forwarded to the CA. Once the CA receives this request, it is its responsibility to issue the digital certificate to the requesting user or device. This electronic document can be validated against the CA's public key to ensure its validity for use in digital communications and transactions.

The connection between CA, RA and DRA

A registration authority works as a trusted agent or intermediary for the CA to collect the information necessary to verify the identity and other details of a certificate requesting user. The RA's role is to authenticate the identity of a certificate requesting entity, and the CA's role is to accept the RA's request, process it, and issue the certificate to the requester. Both the CA and RA are trusted entities that are crucial to the functioning and security of the digital world.

A delegate registration authority (DRA) acts on behalf of an RA -- although they can also act on behalf of a CA -- to authenticate a requester's identity. They might also be called upon by a CA or RA to revoke an existing certificate.

Managing digital certificates can be tedious and challenging. Learn how certificate automation can help simplify this task.

This was last updated in May 2025

Continue Reading About What is a registration authority (RA)?

Dig Deeper on Identity and access management