In a typical PKI workflow, the CA is mainly responsible for certificate issuance and lifecycle management, but it usually does not handle direct identity verification for most end users. Instead, the user submits a certificate application request (often a CSR) through a defined enrollment channel, and the RA performs the key step of validating the requester’s identity and authorization according to the organization’s certificate policy. After the RA approves the request, it is forwarded to the CA for signing and issuance. This separation of duties improves security and scalability: the CA stays protected and focused on signing operations, while the RA enforces registration, approval, and identity-proofing processes close to the user or business unit.
Therefore, saying “in most cases the user applies to the CA and the CA approves the application” is inaccurate in standard enterprise PKI designs. The CA issues the certificate, but approval and verification are commonly handled by the RA, with the CA acting on the RA’s validated decision.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit