Due to compliance or security requirements, your network may be heavily segmented with very limited access. Devices running in a private subnet could potentially have issues requesting certificates from Certificate Manager if the networking policies restrict public DNS. The solution to this problem is a Registration Authority.
Following the instructions in our RA Getting Started Guide, you can stand up an instance of `step-ca` running in "Registration Authority" mode in your public subnet to issue certificates to your local, private devices. Devices in your environment could then send certificate issuance requests to your RA, and the RA would pass along the request to Certificate Manager to sign and return the cert/key pair. Your RA would act as the secure intermediary along your network boundary.
Multiple Network Boundaries
There are cases where an environment could be locked down in such a way that private subnets are only accessible via a DMZ: ie. A -> B -> C. In such a case, devices in private subnet C would not be able to issue requests to an RA sitting in public subnet A.
In this case, you can stand up an additional instance of `step-ca` in "Registration Authority" mode in subnet B. It is possible to chain RA's together, so you can simply point the configuration of the RA in subnet B to the RA in subnet A. Devices requesting certificates from the RA in subnet B could then receive certificates signed by their Certificate Manager authority via both intermediary RA's.