Skip to main content
RA functionality is accessed primarily through the PKI > Signing Workflow menu.

The role of the Registration Authority

The Registration Authority (RA) is a critical component of the Public Key Infrastructure (PKI) that serves as an intermediary between the client (end-user or end-device) and the Certificate Authority (CA). Its primary function is to authenticate and validate certificate signing requests (CSRs) from entities seeking digital certificates. The specific responsibilities of the RA include:
  • Receiving and processing certificate requests from clients
  • Verifying the identity of the client through rigorous authentication procedures
  • Evaluating and either approving or rejecting CSRs based on established guidelines
  • Informing the CA to issue a certificate in case of approval
  • Denying access to clients that present invalid or revoked certificates
The RA does not create, sign, or manage certificates - these roles are carried out by the CA. By offloading the identity authentication process from the CA, the RA provides an efficient mechanism to manage digital identities in a PKI.

RA features on the KMES Series 3

The KMES Series 3 has all the functionality needed to be a registration authority within your PKI ecosystem and provides the following services:
  • Manage Certificate requests
  • Manage X.509 Extension Profile permissions
  • Provide web server RA automation features
  • Support anonymous roles and identities
  • Handle API commands related to RA functions
  • Manage signing workflows and approval groups

Enable the RA

The Registration Authority (RA) settings are part of certificate workflow management. Perform the following steps to set up and use RA and a connection pair:
To use this functionality, you must enable the RA license. To request this license, contact the Futurex support team at support@futurex.com.
1
Go to Administration > Configuration > Network Options.
2
Go to the TLS/SSL Settings tab, located at the top of the Network Options window.
3
Select Registration Authority from the Connection drop-down menu.
4
Set the following options:
OptionRequired configuration
PortUse the default port
EnabledChecked
Use System/Host API SSL ParametersUnchecked
Allow Anonymous ConnectionsChecked
Use Futurex certificatesChecked
5
Select [ OK ].
This configuration uses Futurex-signed certificates for remote authentication. If you need an internal CA, you must generate PKI keys, export a CSR, and the CA, and import the signed certificate. We recommend using Futurex-signed certificates for easy setup.

Signing workflow and approval

The section covers the signing workflow and approval tasks.

Manage roles and identities

Before using the registration authority functionality, administrators should define two new roles to delegate the separate tasks of uploading certificate signing requests and approving, denying, or revoking those CSRs.
Role names are examples only. These depend on user input.
The two roles to create with the minimum permissions are:
RolePermissions
Submitters Certificate Authority: Upload
ApproversSigning Approval: Add, Approve, Delete, Modify
Be sure to grant the submitters and approvers roles you create with the Use permission on the issuing CA certificate.
For more information on creating roles and identities, see the complete KMES Series 3 User Guide.

Creating signing approval groups

Before submitters can upload a CSR, an approver must add a signing approval group to contain the request. To do this:
1
Go to PKI > Signing Workflow and select [ Add Approval Group ].
2
Enter an identifiable name into the Name field.
3
Select [ OK ] when finished.

Assign permissions

A non-administrative role must have the appropriate object permissions to perform any action related to a signing approval group. For example, an approver should have Use permissions at the object level. Only an administrative identity or role with similar permissions can assign these. For more information about permissions and identity management, see the KMES Series 3 User Guide. Perform the following steps to assign an approval group object permissions:
1
Right-click the desired approval group and select Permission.
2
In the Set Object-Group Permissions window, set the device permissions for each role to None, View, Use, Modify, or Delete.
The Administrator role has implicit permissions that you cannot adjust. Non-admin roles must have Modify permissions to view and modify the device group protocols.
3
Select one of the following permission application options from the drop-down menu:
  • Do not apply to children
  • Apply to direct children
  • Apply to children recursively
Signing approval groups cannot have children, so recursive and implicit permissions are not applicable.
4
Select [ OK ] to save.

Certificate enrollment

RAs often perform certificate enrollment. In this process, an entity requests an X.509 certificate from a CA. Assuming the entity request is valid, the CA signs the entity public key and provides a certificate to secure the public-facing systems of the entity. Perform the tasks in this section to complete certificate enrollment:

Submit a CSR

Perform the following steps to submit a CSR to the Registration Authority (RA):
1
Go to the RA in the browser.
2
Log in with an identity assigned the permissions required to submit a CSR.
3
Select the signing/issuing certificate you configured in the drop-down menu. Several CSR methods are supported.Select [ -> ] to move to the next step.
4
Select the approval group you configured, then select [ -> ].
5
Select an extension profile in the drop-down menu and set custom extensions if required, then select [ -> ].
6
Select a DN Profile in the drop-down menu, then enter information into the fields below and select [ -> ].
7
In the final window, provide the required information and select [ Submit ].
In the main menu, this new request displays under Pending Requests.

Approve a CSR with the RA

Perform the following steps to approve a CSR by using the RA:
1
Go to the RA in the browser.
2
Log in with an identity assigned the permissions required to approve CSRs.
3
In the menu on the right, select the pending request.
4
Go to the Approvals tab.
5
Select [ Approve ].
You should see a message confirming that the signing request was successfully approved.

Approve a CSR in the KMES

Perform the following steps to approve a CSR in the KMES Series 3 application interface:
1
Log in to the KMES Series 3 application interface with an identity assigned the permissions required to approve CSRs.
2
Go to PKI > Signing Workflow.
3
Right-click the Pending request and select [ Approve ].
The status of the request should change to Approved.

Download the signed certificate

Perform the following steps to download the signed certificate through the RA:
1
Go to the RA in the browser.
2
Log in with the identity that submitted the CSR.
3
In the menu on the right, select the request that was approved and signed.
4
Go to the Download tab.
5
Select the file format for the certificate download and select [ Download ].