Working with Registration Authorities and Local Registration Authorities: A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities.
The RA doesn’t issue certificates; that responsibility remains with the CA.
Below shows and RA operating in San Francisco while the CA is located in Washington, D.C. The Seattle user obtains authorization for the session from the RA in San Francisco.
The Seattle user can also use the San Francisco RA to validate the authenticity of a certificate from a Miami user.
The arrows between the Seattle user and the RA server represent the certificate request from the remote user.
The RA has a communications link with the CA in Washington, D.C. Because the CA in Washington, D.C is closer, the Miami user will use it to verify the certificate.
An RA offloading work from a CA
A local registration authority (LRA) takes the process one step further. It can be used to identify or establish the identity of an individual for certificate issuance.
If the user in Seattle needs a new certificate, it would be impractical to fly back to Washington, D.C to get another one.
An LRA can be used to verify and certify the identity for the individual on behalf of the CA.
The LRA can then forward authentication documents to the CA to issue the certificate.
TIP: The primary difference between RA and an LRA is that the latter can be used to identify or establish the identity of an individual. The LRA involves the physical identification of the person requesting a certificate.
The next section provides more detail about certificates and their uses, including validating users, systems, and devices. A certificate also has certain characteristics that will be briefly explained.