Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The PKI entity that verifies certificate-requestor identities before a CA issues, defined in X.509 and RFC 5280 / NIST SP 800-32.
Registration Authority (RA) Definition: The PKI entity that verifies certificate-requestor identities before a CA issues, defined in X.509 and RFC 5280 / NIST SP 800-32.
A Registration Authority (RA) is the entity within a Public Key Infrastructure (PKI) that verifies the identity and attributes of certificate requestors before a Certificate Authority (CA) issues a certificate. The RA handles the administrative work of identity proofing and request validation, letting the CA focus on the cryptographic functions of signing and managing certificates.
In the PKI workflow, a requestor submits a certificate signing request to the RA. The RA authenticates the request, confirms the applicant's identity (through credentials, in-person checks, domain validation, or organizational records), and validates that the requested attributes are appropriate. Only after this approval does the RA forward the vetted request to the CA, which generates and signs the certificate. The RA never holds the CA's signing key; it acts as a trusted front end. These roles and the certificate path are defined in X.509, RFC 5280, and the PKI guidance in NIST SP 800-32.
The RA matters because identity proofing is the trust anchor of the entire PKI. A certificate is only as trustworthy as the verification behind it; if an RA issues approvals carelessly, an attacker can obtain a valid certificate for a domain or identity they do not control, enabling impersonation, man-in-the-middle attacks, or fraudulent code signing. Separating the RA from the CA also enforces separation of duties and lets the high-value CA stay offline and tightly protected.
For example, a large enterprise establishes an internal RA team that verifies employee identities and role attributes before requesting certificates from a third-party CA. When an engineer needs a certificate for a server, the RA confirms the request comes from an authorized administrator and that the hostname belongs to the organization, then forwards it to the CA for issuance, ensuring certificates go only to legitimate, properly authorized parties. Related terms: PKI, Certificate Authority, Digital certificate, Identity verification, Certificate enrollment, X.509, Identity proofing.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →