Registration Authority

A sophisticated toolbox for certificate enrollment

Registration Authority (RA) For EJBCA Enterprise

The EJBCA RA provides a sophisticated toolbox for enrollment of any certificate type. As an external entity to the Certificate Authority (CA), it allows for an additional layer of security around the CA.

Why use an RA? 

A Certificate Authority is a fine thing to have; it registers users, issues certificates, it manages their life-cycles and it revokes them when needed. Yet a CA has no purpose without effective and secure means for users to interact with its functionality, whether these are machines, people or software. Human users need a graphical user interface with which they can issue a certificate request to the CA and machines or applications use online protocols or APIs to automate the issuing process, and for this they both need the EJBCA Registration Authority. It is often desirable to physically separate CA and RA, allowing one to reside in a secure environment with minimal access, while the other can reside in a DMZ or even publicly. In short, an RA is the CA’s face to the world.

Explaining PKI

Certificate Management

The EJBCA RA provides a sophisticated toolbox for a user to enroll for any certificate type, whether predefined or defined on the CA, either by submitting a Certificate Signing Request (CSR) to have a local key pair signed, or by requesting a certificate based on a key pair stored on the CA. An intuitive interface will guide the user, whether an administrator or the end client, through the entire process. If certificate issuance can’t be immediate, users can request to either have their certificates delivered by e-mail or can retrieve them from the RA at a later date using a retrieval code.

Request Management 

PrimeKey has implemented a brand new approval process where approvals can be defined as profiles, which in themselves can be partitioned up into segments to be approved by different administrators. Requests can be handled either on the CA or directly on the RA. This provides great value for organizations that need to map their own workflows to the approval process. 

Sophisticated Rights Management 

Using the same rights management system as EJBCA, the same RA can service anybody from a public, unauthenticated user, to an authenticated customer, to a local administrator. Each sees only the functionality they have access to, allowing multiple roles to perform duties connected to the same system.

Background 

Looking at the integration support for Microsoft Active Directory in EJBCA, we found a possibility to enhance functionality and create even more value for the user. That is why we developed Certificate Auto-enrollment, where you can combine the full flexibility of EJBCA Enterprise with different AD users and machines, even supporting multiple use cases.

Clustering the RA

You can have several RA servers, in order to provide high availability, or increased performance. The RA itself is stateless and therefore any user can access any RA server to perform their tasks, as long as it is an RA with the same privileges. User session against the RA UI uses HTTPS sessions, and are typically pinned to a certain node by a load balancer

Pointing at computer

Contact us

Fill in your contact information below and we will get in touch with you.

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.