Requesting A Certificate

Within the PKI, the definition of the CA is well-defined operating in conjunction with a registration authority (RA). The RA role or function makes the actual decisions of who may receive certificates and who may not. The RA ''owns'' the records that dictate the proof of identity and the rights of certificate users. Usually, the RA function is performed in one of two basic ways.

Request for certificates typically come in via Web forms operating at the CA site. The CA then forwards to the RA the information that''s presented on the form. RAs then check their databases to see if the requester has properly identified themselves, and if they have, their request is approved and returned to the CA who will generate and return the completed certificate to the requester. Normally, the CA will not operate the systems that identify requesters, so they must rely on the RA to do that for them. These RA systems may be completely manual, completely automated, or somewhere in between. In the case where manual intervention is required, the issuance process has lag time built in, requiring a wait between request and actual issuance. In those cases, an e-mail is sent when the certificate is complete notifying the requester that their certificate is ready for pick up. Requesters then log back on to the CA Web site, download their certificate and install it. If the systems are automated, the entire process may be completed in a single session.

In the examples following, requests for identifying information are minimal (just to demonstrate the technique), but in the real world, identifying information is very specific for an application. For example, a request for a credit card digital certificate may require name, account number, any special numbers that appear on the card itself, and may even ask for mother''s maiden name or other information presumably only the actual requester possesses.