Get your self-service free hosted private certificate authority today!

The deal with Registration Authorities, and what they do for you with Smallstep Certificate Manager

Linda Ikechukwu
Linda Ikechukwu

To obtain a permanent voter’s card (PVC) in Nigeria (where I live), you must apply to a designated local registration office near your residence. The local registration office will require you to present your identification documents to validate that you meet the qualifications to vote (i.e., you are a Nigerian citizen and resident and are of voting age).

Following successful validation, the local registration office will forward your application to the national electoral office. The national electoral office, which is the issuing authority, will then issue your PVC and deliver it to your local registration office, where you can pick it up.

The existence of local registration offices makes things easier for all parties involved; millions of resident citizens throughout the country cannot have direct access to the national electoral office since they would need to travel far out of their wards or zones. Likewise, the national issuing authority cannot conduct the registration and validation of millions of resident citizens on its own. In a sense, these local registration offices perform similar functions as certificate registration authorities.

What is a registration authority?

Like the local electoral registration offices, a registration authority (RA) acts as a mediator between endpoints or clients needing certificates and a certificate authority (CA). They do not sign certificates, but they authenticate certificate signing requests on behalf of a CA.

The general process is as follows:

  1. An entity sends a certificate request to an RA.
  2. The RA uses any acceptable forms of identification to verify the requestor’s identity and authenticate that it is eligible to make a request.
  3. If authenticated, the RA generates a key pair and sends a certificate signing request (CSR) to the CA on behalf of the requesting entity.
  4. The certificate authority issues a signed certificate for the requesting entity to the RA, which then passes it on to the requesting entity.

Typically, a CA server acts as both an issuing authority and a registration authority. However, RAs are useful for separating the authentication process from the certificate issuance process, especially when the CA needs to initiate a connection to the entity requesting a certificate but cannot (i.e., getting a certificate with ACME).

How does getting a certificate with ACME work?

The steps required to manually obtain and renew a signed certificate can cause significant frustration and confusion. Automated Certificate Management Environment (ACME) is an internet protocol that simplifies and automates the process of obtaining and managing signed certificates. Although Let’s Encrypt uses ACME to automate certificate management for websites on the public internet, it can also be used within internal networks.

The ACME protocol has two key components: an ACME client and an ACME server. An ACME client is a program that runs on a host and makes requests for certificates to the ACME server. This ACME server runs within a certificate authority and responds to certificate requests from authorized ACME clients.

To obtain a certificate via the ACME protocol, the ACME client first submits a request for a certificate to be issued to an identifier (a domain name or an IP address). Then, the ACME server responds to the request with challenges that the ACME client must complete to prove that it truly controls the specified identifier.

Before issuing a certificate, the ACME server must verify that the ACME client has successfully completed one of three common challenge types: DNS-01, HTTP-01, or TLS-ALPN-01. Depending on the challenge type, the ACME server either needs to be able to reach the ACME client’s host directly via HTTPS (for HTTP-01) or the host’s DNS server (DNS-01) in order to verify the completion of the challenge.

ACME certificate request process

So, why would you need an ACME RA?

You may need to set up an ACME RA if you want to use ACME to automate certificate enrollment and renewal to domain names and IP addresses within an internal network from a CA outside the network.

As previously mentioned, the ACME server must be able to reach the identifier that the ACME client points to via DNS or HTTPS to validate ACME challenges. But, in internal networks, direct connections from other networks or the internet are often impossible due to firewall configurations that only allow connections that originate inside the internal network. That’s why the Smallstep ACME RA was built.

The Smallstep ACME RA is an agent you run within a network, VPC, or Kubernetes cluster, to validate ACME challenges or other certificate requests from local ACME clients. It does not issue certificates or hold signing keys. Instead, it securely relays authenticated certificate requests to a CA, which then issues certificates. An ACME RA deployed within your internal network or VPC will basically act as a rendezvous or relay server, ensuring that ACME clients can be challenged on the internal network without opening additional ports. Additionally, depending on your needs, RAs can be chained and report to other RAs or just report directly to the CA.

ACME RA process

Smallstep ACME RA is compatible with any ACME-compliant clients like certbot, Terraform, Caddy, and Kubernetes cert-manager, as well as other PKI providers like Harshicorp Vault, AWS, Google, and so on (even though we prefer you use our Smallstep Certificate Manager).

Set up an ACME RA in minutes with our new quickstart guide

Setting up an ACME RA manually can take quite some time, require you to remember some tedious commands, and can be error prone. So, in line with our mission to make PKI easy, we built the ACME RA Quickstart guide.

Screenshot of the ACME RA quickstart UI on the Smallstep platform

With ACME RA Quickstart, you can quickly set up an RA in minutes and use ACME to issue certificates to internal websites, services, databases, and other infrastructure. And when we say ‘minutes,’ no, it’s not marketing hype. Most of our early adopters have been able to set up an ACME RA in just under 5 minutes. Don’t believe it? Sign up for a Smallstep Certificate Manager account to see for yourself.

Further Reading