An intermediary between the CA and PKI system. Used to: Verify and approve identities during CSR Revoke certificate and add to CRL Pass on requests for the CA to sign Often setup when direct communication with CA is impractical.