Add gRPC server to RA (#2350)

Fixes #2348.
2016-11-29 15:34:35 -08:00 · 2016-11-29 15:34:35 -08:00 · a87379bc6e
parent 1df986b858
commit a87379bc6e
19 changed files with 1730 additions and 186 deletions
--- a/ca/proto/ca.pb.go
+++ b/ca/proto/ca.pb.go
@ -1,16 +1,15 @@
 // Code generated by protoc-gen-go.
-// source: ca.proto
+// source: ca/proto/ca.proto
 // DO NOT EDIT!

 /*
 Package proto is a generated protocol buffer package.

 It is generated from these files:
-	ca.proto
+	ca/proto/ca.proto

 It has these top-level messages:
 	IssueCertificateRequest
-	Certificate
 	GenerateOCSPRequest
 	OCSPResponse
 */
@ -19,6 +18,7 @@ package proto
 import proto1 "github.com/golang/protobuf/proto"
 import fmt "fmt"
 import math "math"
+import core "github.com/letsencrypt/boulder/core/proto"

 import (
 	context "golang.org/x/net/context"
@ -61,63 +61,6 @@ func (m *IssueCertificateRequest) GetRegistrationID() int64 {
 	return 0
 }

-type Certificate struct {
-	RegistrationID   *int64  `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
-	Serial           *string `protobuf:"bytes,2,opt,name=serial" json:"serial,omitempty"`
-	Digest           *string `protobuf:"bytes,3,opt,name=digest" json:"digest,omitempty"`
-	Der              []byte  `protobuf:"bytes,4,opt,name=der" json:"der,omitempty"`
-	Issued           *int64  `protobuf:"varint,5,opt,name=issued" json:"issued,omitempty"`
-	Expires          *int64  `protobuf:"varint,6,opt,name=expires" json:"expires,omitempty"`
-	XXX_unrecognized []byte  `json:"-"`
-}
-
-func (m *Certificate) Reset()                    { *m = Certificate{} }
-func (m *Certificate) String() string            { return proto1.CompactTextString(m) }
-func (*Certificate) ProtoMessage()               {}
-func (*Certificate) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
-
-func (m *Certificate) GetRegistrationID() int64 {
-	if m != nil && m.RegistrationID != nil {
-		return *m.RegistrationID
-	}
-	return 0
-}
-
-func (m *Certificate) GetSerial() string {
-	if m != nil && m.Serial != nil {
-		return *m.Serial
-	}
-	return ""
-}
-
-func (m *Certificate) GetDigest() string {
-	if m != nil && m.Digest != nil {
-		return *m.Digest
-	}
-	return ""
-}
-
-func (m *Certificate) GetDer() []byte {
-	if m != nil {
-		return m.Der
-	}
-	return nil
-}
-
-func (m *Certificate) GetIssued() int64 {
-	if m != nil && m.Issued != nil {
-		return *m.Issued
-	}
-	return 0
-}
-
-func (m *Certificate) GetExpires() int64 {
-	if m != nil && m.Expires != nil {
-		return *m.Expires
-	}
-	return 0
-}
-
 type GenerateOCSPRequest struct {
 	CertDER          []byte  `protobuf:"bytes,1,opt,name=certDER" json:"certDER,omitempty"`
 	Status           *string `protobuf:"bytes,2,opt,name=status" json:"status,omitempty"`
@ -129,7 +72,7 @@ type GenerateOCSPRequest struct {
 func (m *GenerateOCSPRequest) Reset()                    { *m = GenerateOCSPRequest{} }
 func (m *GenerateOCSPRequest) String() string            { return proto1.CompactTextString(m) }
 func (*GenerateOCSPRequest) ProtoMessage()               {}
-func (*GenerateOCSPRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
+func (*GenerateOCSPRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }

 func (m *GenerateOCSPRequest) GetCertDER() []byte {
 	if m != nil {
@ -167,7 +110,7 @@ type OCSPResponse struct {
 func (m *OCSPResponse) Reset()                    { *m = OCSPResponse{} }
 func (m *OCSPResponse) String() string            { return proto1.CompactTextString(m) }
 func (*OCSPResponse) ProtoMessage()               {}
-func (*OCSPResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+func (*OCSPResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }

 func (m *OCSPResponse) GetResponse() []byte {
 	if m != nil {
@ -178,7 +121,6 @@ func (m *OCSPResponse) GetResponse() []byte {

 func init() {
 	proto1.RegisterType((*IssueCertificateRequest)(nil), "ca.IssueCertificateRequest")
-	proto1.RegisterType((*Certificate)(nil), "ca.Certificate")
 	proto1.RegisterType((*GenerateOCSPRequest)(nil), "ca.GenerateOCSPRequest")
 	proto1.RegisterType((*OCSPResponse)(nil), "ca.OCSPResponse")
 }
@ -194,7 +136,7 @@ const _ = grpc.SupportPackageIsVersion3
 // Client API for CertificateAuthority service

 type CertificateAuthorityClient interface {
-	IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*Certificate, error)
+	IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*core.Certificate, error)
 	GenerateOCSP(ctx context.Context, in *GenerateOCSPRequest, opts ...grpc.CallOption) (*OCSPResponse, error)
 }

@ -206,8 +148,8 @@ func NewCertificateAuthorityClient(cc *grpc.ClientConn) CertificateAuthorityClie
 	return &certificateAuthorityClient{cc}
 }

-func (c *certificateAuthorityClient) IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*Certificate, error) {
-	out := new(Certificate)
+func (c *certificateAuthorityClient) IssueCertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*core.Certificate, error) {
+	out := new(core.Certificate)
 	err := grpc.Invoke(ctx, "/ca.CertificateAuthority/IssueCertificate", in, out, c.cc, opts...)
 	if err != nil {
 		return nil, err
@ -227,7 +169,7 @@ func (c *certificateAuthorityClient) GenerateOCSP(ctx context.Context, in *Gener
 // Server API for CertificateAuthority service

 type CertificateAuthorityServer interface {
-	IssueCertificate(context.Context, *IssueCertificateRequest) (*Certificate, error)
+	IssueCertificate(context.Context, *IssueCertificateRequest) (*core.Certificate, error)
 	GenerateOCSP(context.Context, *GenerateOCSPRequest) (*OCSPResponse, error)
 }

@ -288,27 +230,25 @@ var _CertificateAuthority_serviceDesc = grpc.ServiceDesc{
 	Metadata: fileDescriptor0,
 }

-func init() { proto1.RegisterFile("ca.proto", fileDescriptor0) }
+func init() { proto1.RegisterFile("ca/proto/ca.proto", fileDescriptor0) }

 var fileDescriptor0 = []byte{
-	// 302 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x74, 0x91, 0x4f, 0x4f, 0xc2, 0x40,
-	0x10, 0xc5, 0x29, 0x95, 0x7f, 0x03, 0x01, 0x5c, 0x8d, 0x34, 0x78, 0x21, 0x3d, 0x71, 0xe2, 0xe0,
-	0xd5, 0xc4, 0x84, 0x3f, 0xc6, 0x70, 0xd2, 0xe0, 0x49, 0x6f, 0x9b, 0xed, 0x88, 0x1b, 0x4d, 0xb7,
-	0xce, 0x4c, 0x8d, 0x7e, 0x12, 0xbf, 0xae, 0xd9, 0x05, 0x63, 0x63, 0xf0, 0xd6, 0xe9, 0xcc, 0x9b,
-	0xdf, 0x7b, 0xb3, 0xd0, 0x36, 0x7a, 0x56, 0x90, 0x13, 0xa7, 0xea, 0x46, 0xa7, 0x57, 0x30, 0x5a,
-	0x33, 0x97, 0xb8, 0x44, 0x12, 0xfb, 0x64, 0x8d, 0x16, 0xdc, 0xe0, 0x5b, 0x89, 0x2c, 0xaa, 0x0b,
-	0xb1, 0x61, 0x4a, 0xa2, 0x49, 0x34, 0xed, 0xa9, 0x33, 0xe8, 0x13, 0x6e, 0x2d, 0x0b, 0x69, 0xb1,
-	0x2e, 0x5f, 0xaf, 0x92, 0xfa, 0x24, 0x9a, 0xc6, 0x29, 0x43, 0xb7, 0x22, 0x3d, 0x30, 0xe6, 0xe5,
-	0xb1, 0xea, 0x43, 0x93, 0x91, 0xac, 0x7e, 0x0d, 0xb2, 0x8e, 0xaf, 0x33, 0xbb, 0x45, 0x96, 0x24,
-	0x0e, 0x75, 0x17, 0xe2, 0x0c, 0x29, 0x39, 0x0a, 0xac, 0x3e, 0x34, 0xad, 0xf7, 0x94, 0x25, 0x8d,
-	0x20, 0x1e, 0x40, 0x0b, 0x3f, 0x0a, 0x4b, 0xc8, 0x49, 0x33, 0x40, 0x1f, 0xe0, 0xe4, 0x06, 0x73,
-	0x24, 0x2d, 0x78, 0xbb, 0xbc, 0xbf, 0xfb, 0x31, 0x3c, 0x80, 0x96, 0x41, 0x92, 0xd5, 0xf5, 0x66,
-	0x6f, 0xda, 0x53, 0x45, 0x4b, 0xc9, 0xbf, 0x54, 0x42, 0xcd, 0x2e, 0x0f, 0xd4, 0x86, 0x3a, 0x86,
-	0x0e, 0xe1, 0xbb, 0x7b, 0xc1, 0x6c, 0x2e, 0x81, 0x1d, 0xa7, 0x13, 0xe8, 0xed, 0x56, 0x72, 0xe1,
-	0x72, 0x46, 0x35, 0x84, 0x36, 0xed, 0xbf, 0x77, 0x4b, 0x2f, 0xbe, 0x22, 0x38, 0xad, 0x44, 0x9e,
-	0x97, 0xf2, 0xec, 0xc8, 0xca, 0xa7, 0x5a, 0xc0, 0xf0, 0xef, 0x29, 0xd5, 0xf9, 0xcc, 0xe8, 0xd9,
-	0x3f, 0x07, 0x1e, 0x0f, 0x7c, 0xb3, 0xf2, 0x3f, 0xad, 0xa9, 0x4b, 0xe8, 0x55, 0x93, 0xa9, 0x91,
-	0x1f, 0x39, 0x90, 0x75, 0x3c, 0xf4, 0x8d, 0xaa, 0xd3, 0xb4, 0xb6, 0x68, 0x3d, 0x36, 0xc2, 0xc3,
-	0x7e, 0x07, 0x00, 0x00, 0xff, 0xff, 0x25, 0xda, 0x9b, 0x25, 0xe3, 0x01, 0x00, 0x00,
+	// 267 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x74, 0x90, 0x4d, 0x4b, 0xc3, 0x40,
+	0x10, 0x86, 0x9b, 0xc6, 0x5a, 0x3b, 0x86, 0x9a, 0xac, 0x1f, 0x0d, 0xf1, 0x12, 0x72, 0xca, 0x29,
+	0x05, 0xaf, 0x82, 0x50, 0x1b, 0x91, 0x9e, 0x94, 0x7a, 0xd2, 0xdb, 0xb2, 0x8e, 0x1a, 0x84, 0x6c,
+	0x9d, 0x99, 0x08, 0xfe, 0x14, 0xff, 0xad, 0x64, 0xd3, 0x42, 0x10, 0xbd, 0xcd, 0xf0, 0xf2, 0x3e,
+	0xcc, 0x33, 0x10, 0x19, 0x3d, 0xdf, 0x90, 0x15, 0x3b, 0x37, 0xba, 0x70, 0x83, 0x1a, 0x1a, 0x9d,
+	0x9c, 0x1a, 0x4b, 0xb8, 0x0b, 0x2c, 0x61, 0x17, 0x65, 0x57, 0x30, 0x5b, 0x31, 0x37, 0xb8, 0x44,
+	0x92, 0xea, 0xa5, 0x32, 0x5a, 0x70, 0x8d, 0x1f, 0x0d, 0xb2, 0xa8, 0x43, 0xf0, 0x0d, 0x53, 0xec,
+	0xa5, 0x5e, 0x1e, 0xa8, 0x33, 0x98, 0x12, 0xbe, 0x56, 0x2c, 0xa4, 0xa5, 0xb2, 0xf5, 0xaa, 0x8c,
+	0x87, 0xa9, 0x97, 0xfb, 0xd9, 0x23, 0x1c, 0xdf, 0x62, 0x8d, 0xa4, 0x05, 0xef, 0x96, 0x0f, 0xf7,
+	0xbb, 0xee, 0x11, 0x8c, 0x0d, 0x92, 0x94, 0x37, 0xeb, 0x6d, 0x7f, 0x0a, 0xfb, 0x2c, 0x5a, 0x1a,
+	0x76, 0xbd, 0x49, 0xbb, 0x13, 0x6a, 0xb6, 0x75, 0xec, 0xa7, 0x5e, 0x3e, 0x52, 0x11, 0x4c, 0x08,
+	0x3f, 0xed, 0x3b, 0x3e, 0x2f, 0x24, 0xde, 0x73, 0xe8, 0x14, 0x82, 0x0e, 0xc9, 0x1b, 0x5b, 0x33,
+	0xaa, 0x10, 0x0e, 0x68, 0x3b, 0x77, 0xd0, 0x8b, 0x6f, 0x0f, 0x4e, 0x7a, 0x87, 0x2f, 0x1a, 0x79,
+	0xb3, 0x54, 0xc9, 0x97, 0x2a, 0x21, 0xfc, 0x6d, 0xa5, 0xce, 0x0b, 0xa3, 0x8b, 0x7f, 0x5c, 0x93,
+	0xa8, 0x70, 0x3f, 0xe9, 0x25, 0xd9, 0x40, 0x5d, 0x42, 0xd0, 0x77, 0x53, 0xb3, 0x96, 0xf0, 0x87,
+	0x6d, 0x12, 0xb6, 0x41, 0xff, 0xd6, 0x6c, 0x70, 0x3d, 0x7e, 0x1a, 0xb9, 0x0f, 0xff, 0x04, 0x00,
+	0x00, 0xff, 0xff, 0x08, 0x1f, 0xbb, 0xea, 0x90, 0x01, 0x00, 0x00,
 }
--- a/ca/proto/ca.proto
+++ b/ca/proto/ca.proto
@ -3,8 +3,10 @@ syntax = "proto2";
 package ca;
 option go_package = "proto";

+import "core/proto/core.proto";
+
 service CertificateAuthority {
-  rpc IssueCertificate(IssueCertificateRequest) returns (Certificate) {}
+  rpc IssueCertificate(IssueCertificateRequest) returns (core.Certificate) {}
  rpc GenerateOCSP(GenerateOCSPRequest) returns (OCSPResponse) {}
 }

@ -13,15 +15,6 @@ message IssueCertificateRequest {
  optional int64 registrationID = 2;
 }

-message Certificate {
-  optional int64 registrationID = 1;
-  optional string serial = 2;
-  optional string digest = 3;
-  optional bytes der = 4;
-  optional int64 issued = 5;  // Unix timestamp (nanoseconds)
-  optional int64 expires = 6; // Unix timestamp (nanoseconds)
-}
-
 message GenerateOCSPRequest {
  optional bytes certDER = 1;
  optional string status = 2;
--- a/ca/proto/generate.go
+++ b/ca/proto/generate.go
@ -1,3 +1,3 @@
 package proto

-//go:generate sh -c "protoc --go_out=plugins=grpc:. ca.proto"
+//go:generate sh -c "cd ../.. && protoc --go_out=plugins=grpc,Mcore/proto/core.proto=github.com/letsencrypt/boulder/core/proto:. ca/proto/ca.proto"
--- a/cmd/admin-revoker/main.go
+++ b/cmd/admin-revoker/main.go
@ -16,8 +16,10 @@ import (

 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
+	bgrpc "github.com/letsencrypt/boulder/grpc"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/revocation"
 	"github.com/letsencrypt/boulder/rpc"
 	"github.com/letsencrypt/boulder/sa"
@ -48,6 +50,8 @@ type config struct {
 		// The revoker isn't a long running service, so doesn't get a full
 		// ServiceConfig, just an AMQPConfig.
 		AMQP *cmd.AMQPConfig
+
+		RAService *cmd.GRPCClientConfig
 	}

 	Statsd cmd.StatsdConfig
@ -55,13 +59,21 @@ type config struct {
 	Syslog cmd.SyslogConfig
 }

-func setupContext(c config) (rpc.RegistrationAuthorityClient, blog.Logger, *gorp.DbMap, rpc.StorageAuthorityClient, metrics.Scope) {
+func setupContext(c config) (core.RegistrationAuthority, blog.Logger, *gorp.DbMap, rpc.StorageAuthorityClient, metrics.Scope) {
 	stats, logger := cmd.StatsAndLogging(c.Statsd, c.Syslog)
 	scope := metrics.NewStatsdScope(stats, "AdminRevoker")

 	amqpConf := c.Revoker.AMQP
-	rac, err := rpc.NewRegistrationAuthorityClient(clientName, amqpConf, scope)
-	cmd.FailOnError(err, "Unable to create CA client")
+	var rac core.RegistrationAuthority
+	if c.Revoker.RAService != nil {
+		conn, err := bgrpc.ClientSetup(c.Revoker.RAService, scope)
+		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
+		rac = bgrpc.NewRegistrationAuthorityClient(rapb.NewRegistrationAuthorityClient(conn), c.Revoker.RAService.Timeout.Duration)
+	} else {
+		var err error
+		rac, err = rpc.NewRegistrationAuthorityClient(clientName, amqpConf, scope)
+		cmd.FailOnError(err, "Unable to create RA AMQP client")
+	}

 	dbURL, err := c.Revoker.DBConfig.URL()
 	cmd.FailOnError(err, "Couldn't load DB URL")
@ -72,10 +84,10 @@ func setupContext(c config) (rpc.RegistrationAuthorityClient, blog.Logger, *gorp
 	sac, err := rpc.NewStorageAuthorityClient(clientName, amqpConf, scope)
 	cmd.FailOnError(err, "Failed to create SA client")

-	return *rac, logger, dbMap, *sac, scope
+	return rac, logger, dbMap, *sac, scope
 }

-func revokeBySerial(ctx context.Context, serial string, reasonCode revocation.Reason, rac rpc.RegistrationAuthorityClient, logger blog.Logger, tx *gorp.Transaction) (err error) {
+func revokeBySerial(ctx context.Context, serial string, reasonCode revocation.Reason, rac core.RegistrationAuthority, logger blog.Logger, tx *gorp.Transaction) (err error) {
 	if reasonCode < 0 || reasonCode == 7 || reasonCode > 10 {
 		panic(fmt.Sprintf("Invalid reason code: %d", reasonCode))
 	}
@ -102,7 +114,7 @@ func revokeBySerial(ctx context.Context, serial string, reasonCode revocation.Re
 	return
 }

-func revokeByReg(ctx context.Context, regID int64, reasonCode revocation.Reason, rac rpc.RegistrationAuthorityClient, logger blog.Logger, tx *gorp.Transaction) (err error) {
+func revokeByReg(ctx context.Context, regID int64, reasonCode revocation.Reason, rac core.RegistrationAuthority, logger blog.Logger, tx *gorp.Transaction) (err error) {
 	var certs []core.Certificate
 	_, err = tx.Select(&certs, "SELECT serial FROM certificates WHERE registrationID = :regID", map[string]interface{}{"regID": regID})
 	if err != nil {
@ -158,14 +170,14 @@ func main() {
 		reasonCode, err := strconv.Atoi(args[1])
 		cmd.FailOnError(err, "Reason code argument must be an integer")

-		cac, logger, dbMap, _, _ := setupContext(c)
+		rac, logger, dbMap, _, _ := setupContext(c)

 		tx, err := dbMap.Begin()
 		if err != nil {
 			cmd.FailOnError(sa.Rollback(tx, err), "Couldn't begin transaction")
 		}

-		err = revokeBySerial(ctx, serial, revocation.Reason(reasonCode), cac, logger, tx)
+		err = revokeBySerial(ctx, serial, revocation.Reason(reasonCode), rac, logger, tx)
 		if err != nil {
 			cmd.FailOnError(sa.Rollback(tx, err), "Couldn't revoke certificate")
 		}
@ -180,7 +192,7 @@ func main() {
 		reasonCode, err := strconv.Atoi(args[1])
 		cmd.FailOnError(err, "Reason code argument must be an integer")

-		cac, logger, dbMap, sac, _ := setupContext(c)
+		rac, logger, dbMap, sac, _ := setupContext(c)
 		defer logger.AuditPanic()

 		tx, err := dbMap.Begin()
@ -193,7 +205,7 @@ func main() {
 			cmd.FailOnError(err, "Couldn't fetch registration")
 		}

-		err = revokeByReg(ctx, regID, revocation.Reason(reasonCode), cac, logger, tx)
+		err = revokeByReg(ctx, regID, revocation.Reason(reasonCode), rac, logger, tx)
 		if err != nil {
 			cmd.FailOnError(sa.Rollback(tx, err), "Couldn't revoke certificate")
 		}
--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@ -3,10 +3,12 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net"
 	"os"
 	"time"

 	"github.com/jmhodges/clock"
+	"google.golang.org/grpc"

 	"github.com/letsencrypt/boulder/bdns"
 	caPB "github.com/letsencrypt/boulder/ca/proto"
@ -19,6 +21,7 @@ import (
 	"github.com/letsencrypt/boulder/policy"
 	pubPB "github.com/letsencrypt/boulder/publisher/proto"
 	"github.com/letsencrypt/boulder/ra"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/rpc"
 )

@ -206,10 +209,28 @@ func main() {
 	err = rai.UpdateIssuedCountForever()
 	cmd.FailOnError(err, "Updating total issuance count")

+	var grpcSrv *grpc.Server
+	if c.RA.GRPC != nil {
+		var listener net.Listener
+		grpcSrv, listener, err = bgrpc.NewServer(c.RA.GRPC, scope)
+		cmd.FailOnError(err, "Unable to setup RA gRPC server")
+		gw := bgrpc.NewRegistrationAuthorityServer(rai)
+		rapb.RegisterRegistrationAuthorityServer(grpcSrv, gw)
+		go func() {
+			err = grpcSrv.Serve(listener)
+			cmd.FailOnError(err, "RA gRPC service failed")
+		}()
+	}
+
 	ras, err := rpc.NewAmqpRPCServer(amqpConf, c.RA.MaxConcurrentRPCServerRequests, scope, logger)
 	cmd.FailOnError(err, "Unable to create RA RPC server")

-	go cmd.CatchSignals(logger, ras.Stop)
+	go cmd.CatchSignals(logger, func() {
+		ras.Stop()
+		if grpcSrv != nil {
+			grpcSrv.GracefulStop()
+		}
+	})

 	err = rpc.NewRegistrationAuthorityServer(ras, rai, logger)
 	cmd.FailOnError(err, "Unable to setup RA RPC server")
--- a/cmd/boulder-wfe/main.go
+++ b/cmd/boulder-wfe/main.go
@ -10,10 +10,13 @@ import (
 	"github.com/jmhodges/clock"

 	"github.com/letsencrypt/boulder/cmd"
+	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
+	bgrpc "github.com/letsencrypt/boulder/grpc"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/rpc"
 	"github.com/letsencrypt/boulder/wfe"
 )
@ -41,6 +44,8 @@ type config struct {
 		AcceptRevocationReason bool
 		AllowAuthzDeactivation bool

+		RAService *cmd.GRPCClientConfig
+
 		Features map[string]bool
 	}

@ -56,10 +61,18 @@ type config struct {
 	}
 }

-func setupWFE(c config, logger blog.Logger, stats metrics.Scope) (*rpc.RegistrationAuthorityClient, *rpc.StorageAuthorityClient) {
+func setupWFE(c config, logger blog.Logger, stats metrics.Scope) (core.RegistrationAuthority, *rpc.StorageAuthorityClient) {
 	amqpConf := c.WFE.AMQP
-	rac, err := rpc.NewRegistrationAuthorityClient(clientName, amqpConf, stats)
-	cmd.FailOnError(err, "Unable to create RA client")
+	var rac core.RegistrationAuthority
+	if c.WFE.RAService != nil {
+		conn, err := bgrpc.ClientSetup(c.WFE.RAService, stats)
+		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
+		rac = bgrpc.NewRegistrationAuthorityClient(rapb.NewRegistrationAuthorityClient(conn), c.WFE.RAService.Timeout.Duration)
+	} else {
+		var err error
+		rac, err = rpc.NewRegistrationAuthorityClient(clientName, amqpConf, stats)
+		cmd.FailOnError(err, "Unable to create RA AMQP client")
+	}

 	sac, err := rpc.NewStorageAuthorityClient(clientName, amqpConf, stats)
 	cmd.FailOnError(err, "Unable to create SA client")
--- a/core/proto/core.pb.go
+++ b/core/proto/core.pb.go
@ -12,6 +12,8 @@ It has these top-level messages:
 	Challenge
 	ValidationRecord
 	ProblemDetails
+	Certificate
+	Empty
 */
 package proto

@ -193,34 +195,106 @@ func (m *ProblemDetails) GetHttpStatus() int32 {
 	return 0
 }

+type Certificate struct {
+	RegistrationID   *int64  `protobuf:"varint,1,opt,name=registrationID" json:"registrationID,omitempty"`
+	Serial           *string `protobuf:"bytes,2,opt,name=serial" json:"serial,omitempty"`
+	Digest           *string `protobuf:"bytes,3,opt,name=digest" json:"digest,omitempty"`
+	Der              []byte  `protobuf:"bytes,4,opt,name=der" json:"der,omitempty"`
+	Issued           *int64  `protobuf:"varint,5,opt,name=issued" json:"issued,omitempty"`
+	Expires          *int64  `protobuf:"varint,6,opt,name=expires" json:"expires,omitempty"`
+	XXX_unrecognized []byte  `json:"-"`
+}
+
+func (m *Certificate) Reset()                    { *m = Certificate{} }
+func (m *Certificate) String() string            { return proto1.CompactTextString(m) }
+func (*Certificate) ProtoMessage()               {}
+func (*Certificate) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+
+func (m *Certificate) GetRegistrationID() int64 {
+	if m != nil && m.RegistrationID != nil {
+		return *m.RegistrationID
+	}
+	return 0
+}
+
+func (m *Certificate) GetSerial() string {
+	if m != nil && m.Serial != nil {
+		return *m.Serial
+	}
+	return ""
+}
+
+func (m *Certificate) GetDigest() string {
+	if m != nil && m.Digest != nil {
+		return *m.Digest
+	}
+	return ""
+}
+
+func (m *Certificate) GetDer() []byte {
+	if m != nil {
+		return m.Der
+	}
+	return nil
+}
+
+func (m *Certificate) GetIssued() int64 {
+	if m != nil && m.Issued != nil {
+		return *m.Issued
+	}
+	return 0
+}
+
+func (m *Certificate) GetExpires() int64 {
+	if m != nil && m.Expires != nil {
+		return *m.Expires
+	}
+	return 0
+}
+
+type Empty struct {
+	XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *Empty) Reset()                    { *m = Empty{} }
+func (m *Empty) String() string            { return proto1.CompactTextString(m) }
+func (*Empty) ProtoMessage()               {}
+func (*Empty) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} }
+
 func init() {
 	proto1.RegisterType((*Challenge)(nil), "core.Challenge")
 	proto1.RegisterType((*ValidationRecord)(nil), "core.ValidationRecord")
 	proto1.RegisterType((*ProblemDetails)(nil), "core.ProblemDetails")
+	proto1.RegisterType((*Certificate)(nil), "core.Certificate")
+	proto1.RegisterType((*Empty)(nil), "core.Empty")
 }

 func init() { proto1.RegisterFile("core/proto/core.proto", fileDescriptor0) }

 var fileDescriptor0 = []byte{
-	// 312 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x64, 0x91, 0xcb, 0x6e, 0xf2, 0x30,
-	0x10, 0x85, 0x65, 0x42, 0xe0, 0xcf, 0x84, 0x1f, 0x81, 0x7b, 0x91, 0xbb, 0xb3, 0xe8, 0x26, 0x2b,
-	0x50, 0x79, 0x83, 0x5e, 0x36, 0xdd, 0x55, 0xf4, 0xb2, 0xe8, 0xce, 0xc5, 0xa3, 0xc6, 0xc2, 0xc4,
-	0x91, 0x3d, 0x20, 0xd1, 0x75, 0xdf, 0xac, 0x2f, 0x56, 0xc5, 0x09, 0x95, 0xaa, 0xee, 0x66, 0xce,
-	0xf1, 0x48, 0xe7, 0x7c, 0x86, 0xb3, 0xb5, 0xf3, 0xb8, 0xa8, 0xbd, 0x23, 0xb7, 0x68, 0xc6, 0x79,
-	0x1c, 0x79, 0xbf, 0x99, 0x67, 0x5f, 0x0c, 0xb2, 0xdb, 0x52, 0x59, 0x8b, 0xd5, 0x3b, 0x72, 0x80,
-	0x9e, 0xd1, 0x82, 0x49, 0x56, 0x24, 0x7c, 0x04, 0x7d, 0x3a, 0xd4, 0x28, 0x7a, 0x92, 0x15, 0x19,
-	0x1f, 0xc3, 0x20, 0x90, 0xa2, 0x5d, 0x10, 0x83, 0xb8, 0xe7, 0x90, 0xec, 0xbc, 0x11, 0x59, 0x5c,
-	0xfe, 0x43, 0x4a, 0x6e, 0x83, 0x95, 0x48, 0xe2, 0x2a, 0x60, 0xb2, 0xc1, 0xc3, 0xf5, 0x8e, 0x4a,
-	0xe7, 0xcd, 0x87, 0x22, 0xe3, 0x2a, 0x91, 0x46, 0xe7, 0x0a, 0xa6, 0x7b, 0x65, 0x8d, 0x8e, 0x9a,
-	0xc7, 0xb5, 0xf3, 0x3a, 0x08, 0x90, 0x49, 0x91, 0x2f, 0xcf, 0xe7, 0x31, 0xdb, 0xcb, 0x8f, 0xbd,
-	0x8a, 0x36, 0xbf, 0x84, 0x14, 0xbd, 0x77, 0x5e, 0x0c, 0x25, 0x2b, 0xf2, 0xe5, 0x69, 0xfb, 0xec,
-	0xc1, 0xbb, 0x37, 0x8b, 0xdb, 0x3b, 0x24, 0x65, 0x6c, 0x98, 0x7d, 0x32, 0x98, 0xfc, 0xb9, 0x9c,
-	0xc0, 0xbf, 0xd2, 0x05, 0xaa, 0xd4, 0x16, 0x63, 0xa5, 0xac, 0xa9, 0x54, 0x3b, 0x4f, 0x5d, 0xa5,
-	0x0b, 0x98, 0x2a, 0xad, 0x3d, 0x86, 0x80, 0x61, 0x85, 0xc1, 0xd9, 0x3d, 0x6a, 0x91, 0xc8, 0xa4,
-	0x18, 0xf1, 0x13, 0xc8, 0x3b, 0xeb, 0x39, 0xa0, 0x16, 0x7d, 0xc9, 0x3a, 0xb1, 0xed, 0x44, 0x06,
-	0x83, 0x48, 0x65, 0x72, 0xe4, 0x60, 0x5b, 0x28, 0xb3, 0x7b, 0x18, 0xff, 0x0e, 0xd6, 0xdc, 0xd4,
-	0xad, 0xf2, 0xd4, 0xb0, 0x64, 0x47, 0x96, 0x3a, 0xfa, 0x5d, 0x10, 0x0e, 0x50, 0x12, 0xd5, 0x8f,
-	0x2d, 0xdf, 0x86, 0x61, 0x7a, 0x33, 0x7c, 0x4d, 0xe3, 0x37, 0x7d, 0x07, 0x00, 0x00, 0xff, 0xff,
-	0x1c, 0xa6, 0xad, 0x9d, 0xbe, 0x01, 0x00, 0x00,
+	// 383 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x64, 0x92, 0xcf, 0x6e, 0x13, 0x31,
+	0x10, 0xc6, 0xe5, 0x3a, 0x9b, 0x90, 0xd9, 0x12, 0x52, 0x03, 0x95, 0xb9, 0xad, 0x96, 0xcb, 0x9e,
+	0x5a, 0xd1, 0x37, 0x80, 0x96, 0x43, 0x6f, 0xa8, 0xfc, 0x39, 0x70, 0x33, 0xf1, 0x90, 0x58, 0x75,
+	0xd6, 0xab, 0x99, 0xd9, 0x8a, 0x70, 0xe6, 0xcd, 0x78, 0x31, 0xb4, 0xde, 0x0d, 0x08, 0xf5, 0x36,
+	0x33, 0x9f, 0x47, 0x9a, 0xef, 0xfb, 0x19, 0x5e, 0x6e, 0x12, 0xe1, 0x65, 0x47, 0x49, 0xd2, 0xe5,
+	0x50, 0x5e, 0xe4, 0xd2, 0xcc, 0x86, 0xba, 0xfe, 0xad, 0x60, 0x79, 0xbd, 0x73, 0x31, 0x62, 0xbb,
+	0x45, 0x03, 0x70, 0x12, 0xbc, 0x55, 0x95, 0x6a, 0xb4, 0x39, 0x85, 0x99, 0x1c, 0x3a, 0xb4, 0x27,
+	0x95, 0x6a, 0x96, 0x66, 0x05, 0x73, 0x16, 0x27, 0x3d, 0xdb, 0x79, 0xee, 0x4b, 0xd0, 0x3d, 0x05,
+	0xbb, 0xcc, 0xcd, 0x53, 0x28, 0x24, 0xdd, 0x63, 0x6b, 0x75, 0x6e, 0x2d, 0xac, 0xef, 0xf1, 0xf0,
+	0xb6, 0x97, 0x5d, 0xa2, 0xf0, 0xd3, 0x49, 0x48, 0xad, 0x2d, 0xb2, 0xf2, 0x06, 0xce, 0x1e, 0x5c,
+	0x0c, 0x3e, 0xcf, 0x08, 0x37, 0x89, 0x3c, 0x5b, 0xa8, 0x74, 0x53, 0x5e, 0x9d, 0x5f, 0xe4, 0xdb,
+	0xbe, 0xfc, 0x95, 0xef, 0xb2, 0x6c, 0x5e, 0x43, 0x81, 0x44, 0x89, 0xec, 0xa2, 0x52, 0x4d, 0x79,
+	0xf5, 0x62, 0x7c, 0xf6, 0x81, 0xd2, 0xb7, 0x88, 0xfb, 0x1b, 0x14, 0x17, 0x22, 0xd7, 0xbf, 0x14,
+	0xac, 0x1f, 0x6d, 0xae, 0xe1, 0xc9, 0x2e, 0xb1, 0xb4, 0x6e, 0x8f, 0xd9, 0xd2, 0x72, 0xb0, 0xd4,
+	0x25, 0x92, 0xc9, 0xd2, 0x2b, 0x38, 0x73, 0xde, 0x13, 0x32, 0x23, 0xdf, 0x21, 0xa7, 0xf8, 0x80,
+	0xde, 0xea, 0x4a, 0x37, 0xa7, 0xe6, 0x39, 0x94, 0x93, 0xf4, 0x99, 0xd1, 0xdb, 0x59, 0xa5, 0xa6,
+	0xe1, 0xe8, 0x49, 0x02, 0xb2, 0x2d, 0x2a, 0x7d, 0xcc, 0x21, 0x8e, 0xa1, 0xd4, 0xb7, 0xb0, 0xfa,
+	0xff, 0xb0, 0x61, 0xa7, 0x1b, 0x27, 0x9f, 0x86, 0x2c, 0xd5, 0x31, 0x4b, 0x9f, 0xf5, 0xe9, 0x10,
+	0x03, 0xb0, 0x13, 0xe9, 0x3e, 0x8e, 0xf9, 0x0e, 0x19, 0x16, 0x35, 0x43, 0x79, 0x8d, 0x24, 0xe1,
+	0x7b, 0xd8, 0x38, 0x41, 0x73, 0x0e, 0x2b, 0xc2, 0x6d, 0x60, 0xa1, 0xec, 0xf0, 0xf6, 0x66, 0x82,
+	0x34, 0x60, 0x41, 0x0a, 0x2e, 0xfe, 0xc3, 0xe4, 0xc3, 0x16, 0x59, 0x26, 0x14, 0x25, 0x68, 0x8f,
+	0x34, 0x19, 0x58, 0xc1, 0x3c, 0x30, 0xf7, 0xe8, 0x33, 0x0d, 0x6d, 0x9e, 0xc1, 0x02, 0x7f, 0x74,
+	0x81, 0x70, 0x84, 0xaa, 0xeb, 0x05, 0x14, 0xef, 0xf7, 0x9d, 0x1c, 0xde, 0x2d, 0xbe, 0x16, 0xf9,
+	0x93, 0xfc, 0x09, 0x00, 0x00, 0xff, 0xff, 0xb7, 0xb8, 0x1e, 0x88, 0x3c, 0x02, 0x00, 0x00,
 }
--- a/core/proto/core.proto
+++ b/core/proto/core.proto
@ -30,3 +30,14 @@ message ProblemDetails {
 	optional string detail = 2;
 	optional int32 httpStatus = 3;
 }
+
+message Certificate {
+  optional int64 registrationID = 1;
+  optional string serial = 2;
+  optional string digest = 3;
+  optional bytes der = 4;
+  optional int64 issued = 5;  // Unix timestamp (nanoseconds)
+  optional int64 expires = 6; // Unix timestamp (nanoseconds)
+}
+
+message Empty {}
--- a/grpc/bcodes.go
+++ b/grpc/bcodes.go
@ -4,36 +4,81 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"

-	"github.com/letsencrypt/boulder/probs"
+	"github.com/letsencrypt/boulder/core"
 )

 // gRPC error codes used by Boulder. While the gRPC codes
 // end at 16 we start at 100 to provide a little leeway
 // in case they ever decide to add more
 const (
-	// DNSQueryTimeout is used when DNS queries timeout
-	DNSQueryTimeout codes.Code = 100
-
-	// DNSError is used when DNS queries fail for some reason
-	DNSError codes.Code = 101
+	MalformedRequestError = iota + 100
+	NotSupportedError
+	UnauthorizedError
+	NotFoundError
+	LengthRequiredError
+	SignatureValidationError
+	RateLimitedError
+	BadNonceError
+	NoSuchRegistrationError
+	InternalServerError
 )

-// CodeToProblem takes a gRPC error code and translates it to
-// a Boulder ProblemType
-func CodeToProblem(c codes.Code) probs.ProblemType {
-	switch c {
-	case DNSQueryTimeout, DNSError:
-		return probs.ConnectionProblem
+func errorToCode(err error) codes.Code {
+	switch err.(type) {
+	case core.MalformedRequestError:
+		return MalformedRequestError
+	case core.NotSupportedError:
+		return NotSupportedError
+	case core.UnauthorizedError:
+		return UnauthorizedError
+	case core.NotFoundError:
+		return NotFoundError
+	case core.LengthRequiredError:
+		return LengthRequiredError
+	case core.SignatureValidationError:
+		return SignatureValidationError
+	case core.RateLimitedError:
+		return RateLimitedError
+	case core.BadNonceError:
+		return BadNonceError
+	case core.NoSuchRegistrationError:
+		return NoSuchRegistrationError
+	case core.InternalServerError:
+		return InternalServerError
 	default:
-		return probs.ServerInternalProblem
+		return codes.Unknown
 	}
 }

-// ErrorToProb converts a error returned by a gRPC call to a
-// probs.ProblemDetails
-func ErrorToProb(err error) *probs.ProblemDetails {
-	return &probs.ProblemDetails{
-		Type:   CodeToProblem(grpc.Code(err)),
-		Detail: grpc.ErrorDesc(err),
+func wrapError(err error) error {
+	return grpc.Errorf(errorToCode(err), err.Error())
+}
+
+func unwrapError(err error) error {
+	code := grpc.Code(err)
+	errBody := grpc.ErrorDesc(err)
+	switch code {
+	case InternalServerError:
+		return core.InternalServerError(errBody)
+	case NotSupportedError:
+		return core.NotSupportedError(errBody)
+	case MalformedRequestError:
+		return core.MalformedRequestError(errBody)
+	case UnauthorizedError:
+		return core.UnauthorizedError(errBody)
+	case NotFoundError:
+		return core.NotFoundError(errBody)
+	case SignatureValidationError:
+		return core.SignatureValidationError(errBody)
+	case NoSuchRegistrationError:
+		return core.NoSuchRegistrationError(errBody)
+	case RateLimitedError:
+		return core.RateLimitedError(errBody)
+	case LengthRequiredError:
+		return core.LengthRequiredError(errBody)
+	case BadNonceError:
+		return core.BadNonceError(errBody)
+	default:
+		return err
 	}
 }
--- a/grpc/bcodes_test.go
+++ b/grpc/bcodes_test.go
@ -3,18 +3,33 @@ package grpc
 import (
 	"testing"

+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"

-	"github.com/letsencrypt/boulder/probs"
+	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/test"
 )

-func TestErrorToProb(t *testing.T) {
-	prob := ErrorToProb(CodedError(codes.Aborted, "it's an error!"))
-	test.AssertEquals(t, prob.Detail, "it's an error!")
-	test.AssertEquals(t, prob.Type, probs.ServerInternalProblem)
-	prob = ErrorToProb(CodedError(DNSQueryTimeout, ""))
-	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
-	prob = ErrorToProb(CodedError(DNSError, ""))
-	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
+func TestErrors(t *testing.T) {
+	testcases := []struct {
+		err          error
+		expectedCode codes.Code
+	}{
+		{core.MalformedRequestError("test 1"), MalformedRequestError},
+		{core.NotSupportedError("test 2"), NotSupportedError},
+		{core.UnauthorizedError("test 3"), UnauthorizedError},
+		{core.NotFoundError("test 4"), NotFoundError},
+		{core.LengthRequiredError("test 5"), LengthRequiredError},
+		{core.SignatureValidationError("test 6"), SignatureValidationError},
+		{core.RateLimitedError("test 7"), RateLimitedError},
+		{core.BadNonceError("test 8"), BadNonceError},
+		{core.NoSuchRegistrationError("test 9"), NoSuchRegistrationError},
+		{core.InternalServerError("test 10"), InternalServerError},
+	}
+
+	for _, tc := range testcases {
+		wrappedErr := wrapError(tc.err)
+		test.AssertEquals(t, grpc.Code(wrappedErr), tc.expectedCode)
+		test.AssertEquals(t, tc.err, unwrapError(wrappedErr))
+	}
 }
--- a/grpc/pb-marshalling.go
+++ b/grpc/pb-marshalling.go
@ -6,7 +6,9 @@
 package grpc

 import (
+	"encoding/json"
 	"net"
+	"time"

 	"google.golang.org/grpc/codes"
 	"gopkg.in/square/go-jose.v1"
@ -14,6 +16,7 @@ import (
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	"github.com/letsencrypt/boulder/probs"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	vapb "github.com/letsencrypt/boulder/va/proto"
 )

@ -85,7 +88,7 @@ func pbToProblemDetails(in *corepb.ProblemDetails) (*probs.ProblemDetails, error
 	return prob, nil
 }

-func vaChallengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
+func challengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
 	st := string(challenge.Status)
 	return &corepb.Challenge{
 		Id:               &challenge.ID,
@ -96,7 +99,7 @@ func vaChallengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
 	}, nil
 }

-func pbToVAChallenge(in *corepb.Challenge) (challenge core.Challenge, err error) {
+func pbToChallenge(in *corepb.Challenge) (challenge core.Challenge, err error) {
 	if in == nil {
 		return core.Challenge{}, ErrMissingParameters
 	}
@ -206,7 +209,7 @@ func performValidationReqToArgs(in *vapb.PerformValidationRequest) (domain strin
 		return
 	}
 	domain = *in.Domain
-	challenge, err = pbToVAChallenge(in.Challenge)
+	challenge, err = pbToChallenge(in.Challenge)
 	if err != nil {
 		return
 	}
@ -219,7 +222,7 @@ func performValidationReqToArgs(in *vapb.PerformValidationRequest) (domain strin
 }

 func argsToPerformValidationRequest(domain string, challenge core.Challenge, authz core.Authorization) (*vapb.PerformValidationRequest, error) {
-	pbChall, err := vaChallengeToPB(challenge)
+	pbChall, err := challengeToPB(challenge)
 	if err != nil {
 		return nil, err
 	}
@ -234,3 +237,133 @@ func argsToPerformValidationRequest(domain string, challenge core.Challenge, aut
 	}, nil

 }
+
+func registrationToPB(reg core.Registration) (*rapb.Registration, error) {
+	keyBytes, err := reg.Key.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+	ipBytes, err := reg.InitialIP.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	createdAt := reg.CreatedAt.UnixNano()
+	status := string(reg.Status)
+	var contacts []string
+	// Since the default value of rapb.Registration.Contact is a slice
+	// we need a indicator as to if the value is actually important on
+	// the other side (pb -> reg).
+	contactsPresent := reg.Contact != nil
+	if reg.Contact != nil {
+		contacts = *reg.Contact
+	}
+	return &rapb.Registration{
+		Id:              &reg.ID,
+		Key:             keyBytes,
+		Contact:         contacts,
+		ContactsPresent: &contactsPresent,
+		Agreement:       &reg.Agreement,
+		InitialIP:       ipBytes,
+		CreatedAt:       &createdAt,
+		Status:          &status,
+	}, nil
+}
+
+func pbToRegistration(pb *rapb.Registration) (core.Registration, error) {
+	var key jose.JsonWebKey
+	err := key.UnmarshalJSON(pb.Key)
+	if err != nil {
+		return core.Registration{}, err
+	}
+	var initialIP net.IP
+	err = initialIP.UnmarshalText(pb.InitialIP)
+	if err != nil {
+		return core.Registration{}, err
+	}
+	var contacts *[]string
+	if *pb.ContactsPresent {
+		if len(pb.Contact) != 0 {
+			contacts = &pb.Contact
+		} else {
+			// When gRPC creates an empty slice it is actually a nil slice. Since
+			// certain things boulder uses, like encoding/json, differentiate between
+			// these we need to de-nil these slices. Without this we are unable to
+			// properly do registration updates as contacts would always be removed
+			// as we use the difference between a nil and empty slice in ra.mergeUpdate.
+			empty := []string{}
+			contacts = &empty
+		}
+	}
+	return core.Registration{
+		ID:        *pb.Id,
+		Key:       &key,
+		Contact:   contacts,
+		Agreement: *pb.Agreement,
+		InitialIP: initialIP,
+		CreatedAt: time.Unix(0, *pb.CreatedAt),
+		Status:    core.AcmeStatus(*pb.Status),
+	}, nil
+}
+
+func authzToPB(authz core.Authorization) (*rapb.Authorization, error) {
+	challs := make([]*corepb.Challenge, len(authz.Challenges))
+	for i, c := range authz.Challenges {
+		pbChall, err := challengeToPB(c)
+		if err != nil {
+			return nil, err
+		}
+		challs[i] = pbChall
+	}
+	comboBytes, err := json.Marshal(authz.Combinations)
+	if err != nil {
+		return nil, err
+	}
+	status := string(authz.Status)
+	var expires int64
+	if authz.Expires != nil {
+		expires = authz.Expires.UnixNano()
+	}
+	return &rapb.Authorization{
+		Id:             &authz.ID,
+		Identifier:     &authz.Identifier.Value,
+		RegistrationID: &authz.RegistrationID,
+		Status:         &status,
+		Expires:        &expires,
+		Challenges:     challs,
+		Combinations:   comboBytes,
+	}, nil
+}
+
+func pbToAuthz(pb *rapb.Authorization) (core.Authorization, error) {
+	challs := make([]core.Challenge, len(pb.Challenges))
+	for i, c := range pb.Challenges {
+		chall, err := pbToChallenge(c)
+		if err != nil {
+			return core.Authorization{}, err
+		}
+		challs[i] = chall
+	}
+	var combos [][]int
+	err := json.Unmarshal(pb.Combinations, &combos)
+	if err != nil {
+		return core.Authorization{}, err
+	}
+	expires := time.Unix(0, *pb.Expires)
+	return core.Authorization{
+		ID:             *pb.Id,
+		Identifier:     core.AcmeIdentifier{Type: core.IdentifierDNS, Value: *pb.Identifier},
+		RegistrationID: *pb.RegistrationID,
+		Status:         core.AcmeStatus(*pb.Status),
+		Expires:        &expires,
+		Challenges:     challs,
+		Combinations:   combos,
+	}, nil
+}
+
+func registrationValid(reg *rapb.Registration) bool {
+	return !(reg.Id == nil || reg.Key == nil || reg.Agreement == nil || reg.InitialIP == nil || reg.CreatedAt == nil || reg.Status == nil || reg.ContactsPresent == nil)
+}
+
+func authorizationValid(authz *rapb.Authorization) bool {
+	return !(authz.Id == nil || authz.Identifier == nil || authz.RegistrationID == nil || authz.Status == nil || authz.Expires == nil)
+}
--- a/grpc/pb-marshalling_test.go
+++ b/grpc/pb-marshalling_test.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net"
 	"testing"
+	"time"

 	"gopkg.in/square/go-jose.v1"

@ -93,7 +94,7 @@ func TestProblemDetails(t *testing.T) {
 	test.AssertEquals(t, err, ErrMissingParameters)
 }

-func TestVAChallenge(t *testing.T) {
+func TestChallenge(t *testing.T) {
 	var jwk jose.JsonWebKey
 	err := json.Unmarshal([]byte(JWK1JSON), &jwk)
 	test.AssertNotError(t, err, "Failed to unmarshal test key")
@ -105,19 +106,19 @@ func TestVAChallenge(t *testing.T) {
 		ProvidedKeyAuthorization: "keyauth",
 	}

-	pb, err := vaChallengeToPB(chall)
-	test.AssertNotError(t, err, "vaChallengeToPB failed")
+	pb, err := challengeToPB(chall)
+	test.AssertNotError(t, err, "challengeToPB failed")
 	test.Assert(t, pb != nil, "Returned corepb.Challenge is nil")

-	recon, err := pbToVAChallenge(pb)
-	test.AssertNotError(t, err, "pbToVAChallenge failed")
+	recon, err := pbToChallenge(pb)
+	test.AssertNotError(t, err, "pbToChallenge failed")
 	test.AssertDeepEquals(t, recon, chall)

-	_, err = pbToVAChallenge(nil)
-	test.AssertError(t, err, "pbToVAChallenge did not fail")
+	_, err = pbToChallenge(nil)
+	test.AssertError(t, err, "pbToChallenge did not fail")
 	test.AssertEquals(t, err, ErrMissingParameters)
-	_, err = pbToVAChallenge(&corepb.Challenge{})
-	test.AssertError(t, err, "pbToVAChallenge did not fail")
+	_, err = pbToChallenge(&corepb.Challenge{})
+	test.AssertError(t, err, "pbToChallenge did not fail")
 	test.AssertEquals(t, err, ErrMissingParameters)
 }

@ -196,3 +197,82 @@ func TestPerformValidationReq(t *testing.T) {
 	test.AssertDeepEquals(t, reconChall, chall)
 	test.AssertDeepEquals(t, reconAuthz, authz)
 }
+
+func TestRegistration(t *testing.T) {
+	contacts := []string{"email"}
+	var key jose.JsonWebKey
+	err := json.Unmarshal([]byte(`
+		{
+			"e": "AQAB",
+			"kty": "RSA",
+			"n": "tSwgy3ORGvc7YJI9B2qqkelZRUC6F1S5NwXFvM4w5-M0TsxbFsH5UH6adigV0jzsDJ5imAechcSoOhAh9POceCbPN1sTNwLpNbOLiQQ7RD5mY_pSUHWXNmS9R4NZ3t2fQAzPeW7jOfF0LKuJRGkekx6tXP1uSnNibgpJULNc4208dgBaCHo3mvaE2HV2GmVl1yxwWX5QZZkGQGjNDZYnjFfa2DKVvFs0QbAk21ROm594kAxlRlMMrvqlf24Eq4ERO0ptzpZgm_3j_e4hGRD39gJS7kAzK-j2cacFQ5Qi2Y6wZI2p-FCq_wiYsfEAIkATPBiLKl_6d_Jfcvs_impcXQ"
+		}
+	`), &key)
+	test.AssertNotError(t, err, "Could not unmarshal testing key")
+	inReg := core.Registration{
+		ID:        1,
+		Key:       &key,
+		Contact:   &contacts,
+		Agreement: "yup",
+		InitialIP: net.ParseIP("1.1.1.1"),
+		CreatedAt: time.Now(),
+		Status:    core.StatusValid,
+	}
+	pbReg, err := registrationToPB(inReg)
+	test.AssertNotError(t, err, "registrationToPB failed")
+	outReg, err := pbToRegistration(pbReg)
+	test.AssertNotError(t, err, "pbToRegistration failed")
+	test.AssertDeepEquals(t, inReg, outReg)
+
+	inReg.Contact = nil
+	pbReg, err = registrationToPB(inReg)
+	test.AssertNotError(t, err, "registrationToPB failed")
+	pbReg.Contact = []string{}
+	outReg, err = pbToRegistration(pbReg)
+	test.AssertNotError(t, err, "pbToRegistration failed")
+	test.AssertDeepEquals(t, inReg, outReg)
+
+	var empty []string
+	inReg.Contact = &empty
+	pbReg, err = registrationToPB(inReg)
+	test.AssertNotError(t, err, "registrationToPB failed")
+	outReg, err = pbToRegistration(pbReg)
+	test.AssertNotError(t, err, "pbToRegistration failed")
+	test.Assert(t, *outReg.Contact != nil, "Empty slice was converted to a nil slice")
+}
+
+func TestAuthz(t *testing.T) {
+	exp := time.Now().AddDate(0, 0, 1)
+	identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "example.com"}
+	combos := make([][]int, 1)
+	combos[0] = []int{0, 1}
+	challA := core.Challenge{
+		ID:     10,
+		Type:   core.ChallengeTypeDNS01,
+		Status: core.StatusPending,
+		Token:  "asd",
+		ProvidedKeyAuthorization: "keyauth",
+	}
+	challB := core.Challenge{
+		ID:     11,
+		Type:   core.ChallengeTypeDNS01,
+		Status: core.StatusPending,
+		Token:  "asd2",
+		ProvidedKeyAuthorization: "keyauth4",
+	}
+	inAuthz := core.Authorization{
+		ID:             "1",
+		Identifier:     identifier,
+		RegistrationID: 5,
+		Status:         core.StatusPending,
+		Expires:        &exp,
+		Challenges:     []core.Challenge{challA, challB},
+		Combinations:   combos,
+	}
+
+	pbAuthz, err := authzToPB(inAuthz)
+	test.AssertNotError(t, err, "authzToPB failed")
+	outAuthz, err := pbToAuthz(pbAuthz)
+	test.AssertNotError(t, err, "pbToAuthz failed")
+	test.AssertDeepEquals(t, inAuthz, outAuthz)
+}
--- a/grpc/wrappers.go
+++ b/grpc/wrappers.go
@ -16,9 +16,11 @@ import (

 	caPB "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/core"
+	corepb "github.com/letsencrypt/boulder/core/proto"
 	"github.com/letsencrypt/boulder/probs"
 	"github.com/letsencrypt/boulder/publisher"
 	pubPB "github.com/letsencrypt/boulder/publisher/proto"
+	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/revocation"
 	vaPB "github.com/letsencrypt/boulder/va/proto"
 )
@ -27,6 +29,9 @@ type ValidationAuthorityGRPCServer struct {
 	impl core.ValidationAuthority
 }

+var errIncompleteRequest = errors.New("Incomplete gRPC request message")
+var errIncompleteResponse = errors.New("Incomplete gRPC response message")
+
 func (s *ValidationAuthorityGRPCServer) PerformValidation(ctx context.Context, in *vaPB.PerformValidationRequest) (*vaPB.ValidationResult, error) {
 	domain, challenge, authz, err := performValidationReqToArgs(in)
 	if err != nil {
@ -185,7 +190,7 @@ func NewCertificateAuthorityServer(inner core.CertificateAuthority) *Certificate
 	return &CertificateAuthorityServerWrapper{inner}
 }

-func (cas *CertificateAuthorityServerWrapper) IssueCertificate(ctx context.Context, request *caPB.IssueCertificateRequest) (*caPB.Certificate, error) {
+func (cas *CertificateAuthorityServerWrapper) IssueCertificate(ctx context.Context, request *caPB.IssueCertificateRequest) (*corepb.Certificate, error) {
 	csr, err := x509.ParseCertificateRequest(request.Csr)
 	if err != nil {
 		return nil, err
@ -195,7 +200,7 @@ func (cas *CertificateAuthorityServerWrapper) IssueCertificate(ctx context.Conte
 		return nil, err
 	}
 	issued, expires := res.Issued.UnixNano(), res.Expires.UnixNano()
-	return &caPB.Certificate{
+	return &corepb.Certificate{
 		RegistrationID: &res.RegistrationID,
 		Serial:         &res.Serial,
 		Digest:         &res.Digest,
@ -217,3 +222,364 @@ func (cas *CertificateAuthorityServerWrapper) GenerateOCSP(ctx context.Context,
 	}
 	return &caPB.OCSPResponse{Response: res}, nil
 }
+
+// RegistrationAuthorityClientWrapper is the gRPC version of a core.RegistrationAuthority client
+type RegistrationAuthorityClientWrapper struct {
+	inner   rapb.RegistrationAuthorityClient
+	timeout time.Duration
+}
+
+func NewRegistrationAuthorityClient(inner rapb.RegistrationAuthorityClient, timeout time.Duration) *RegistrationAuthorityClientWrapper {
+	return &RegistrationAuthorityClientWrapper{inner, timeout}
+}
+
+func (rac RegistrationAuthorityClientWrapper) NewRegistration(ctx context.Context, reg core.Registration) (core.Registration, error) {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	req, err := registrationToPB(reg)
+	if err != nil {
+		return core.Registration{}, err
+	}
+
+	response, err := rac.inner.NewRegistration(localCtx, req)
+	if err != nil {
+		return core.Registration{}, unwrapError(err)
+	}
+
+	if response == nil || !registrationValid(response) {
+		return core.Registration{}, errIncompleteResponse
+	}
+
+	r, err := pbToRegistration(response)
+	return r, err
+}
+
+func (rac RegistrationAuthorityClientWrapper) NewAuthorization(ctx context.Context, authz core.Authorization, regID int64) (core.Authorization, error) {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	req, err := authzToPB(authz)
+	if err != nil {
+		return core.Authorization{}, err
+	}
+
+	response, err := rac.inner.NewAuthorization(localCtx, &rapb.NewAuthorizationRequest{Authz: req, RegID: &regID})
+	if err != nil {
+		return core.Authorization{}, unwrapError(err)
+	}
+
+	if response == nil || !authorizationValid(response) {
+		return core.Authorization{}, errIncompleteResponse
+	}
+
+	return pbToAuthz(response)
+}
+
+func (rac RegistrationAuthorityClientWrapper) NewCertificate(ctx context.Context, csr core.CertificateRequest, regID int64) (core.Certificate, error) {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	response, err := rac.inner.NewCertificate(localCtx, &rapb.NewCertificateRequest{Csr: csr.Bytes, RegID: &regID})
+	if err != nil {
+		return core.Certificate{}, unwrapError(err)
+	}
+
+	if response == nil || response.RegistrationID == nil || response.Serial == nil || response.Digest == nil || response.Der == nil || response.Issued == nil || response.Expires == nil {
+		return core.Certificate{}, errIncompleteResponse
+	}
+
+	return core.Certificate{
+		RegistrationID: *response.RegistrationID,
+		Serial:         *response.Serial,
+		Digest:         *response.Digest,
+		DER:            response.Der,
+		Issued:         time.Unix(0, *response.Issued),
+		Expires:        time.Unix(0, *response.Expires),
+	}, nil
+}
+
+func (rac RegistrationAuthorityClientWrapper) UpdateRegistration(ctx context.Context, base, updates core.Registration) (core.Registration, error) {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	basePB, err := registrationToPB(base)
+	if err != nil {
+		return core.Registration{}, err
+	}
+	updatePB, err := registrationToPB(updates)
+	if err != nil {
+		return core.Registration{}, err
+	}
+
+	response, err := rac.inner.UpdateRegistration(localCtx, &rapb.UpdateRegistrationRequest{Base: basePB, Update: updatePB})
+	if err != nil {
+		return core.Registration{}, unwrapError(err)
+	}
+
+	if response == nil || !registrationValid(response) {
+		return core.Registration{}, errIncompleteResponse
+	}
+
+	return pbToRegistration(response)
+}
+
+func (rac RegistrationAuthorityClientWrapper) UpdateAuthorization(ctx context.Context, authz core.Authorization, challengeIndex int, chall core.Challenge) (core.Authorization, error) {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	authzPB, err := authzToPB(authz)
+	if err != nil {
+		return core.Authorization{}, err
+	}
+	challPB, err := challengeToPB(chall)
+	if err != nil {
+		return core.Authorization{}, err
+	}
+
+	ind := int64(challengeIndex)
+
+	response, err := rac.inner.UpdateAuthorization(localCtx, &rapb.UpdateAuthorizationRequest{
+		Authz:          authzPB,
+		ChallengeIndex: &ind,
+		Response:       challPB,
+	})
+	if err != nil {
+		return core.Authorization{}, unwrapError(err)
+	}
+
+	if response == nil || !authorizationValid(response) {
+		return core.Authorization{}, errIncompleteResponse
+	}
+
+	return pbToAuthz(response)
+}
+
+func (rac RegistrationAuthorityClientWrapper) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, code revocation.Reason, regID int64) error {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	reason := int64(code)
+	_, err := rac.inner.RevokeCertificateWithReg(localCtx, &rapb.RevokeCertificateWithRegRequest{
+		Cert:  cert.Raw,
+		Code:  &reason,
+		RegID: &regID,
+	})
+	if err != nil {
+		return unwrapError(err)
+	}
+
+	return nil
+}
+
+func (rac RegistrationAuthorityClientWrapper) DeactivateRegistration(ctx context.Context, reg core.Registration) error {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	regPB, err := registrationToPB(reg)
+	if err != nil {
+		return err
+	}
+
+	_, err = rac.inner.DeactivateRegistration(localCtx, regPB)
+	if err != nil {
+		return unwrapError(err)
+	}
+
+	return nil
+}
+
+func (rac RegistrationAuthorityClientWrapper) DeactivateAuthorization(ctx context.Context, auth core.Authorization) error {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	authzPB, err := authzToPB(auth)
+	if err != nil {
+		return err
+	}
+
+	_, err = rac.inner.DeactivateAuthorization(localCtx, authzPB)
+	if err != nil {
+		return unwrapError(err)
+	}
+
+	return nil
+}
+
+func (rac RegistrationAuthorityClientWrapper) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, adminName string) error {
+	localCtx, cancel := context.WithTimeout(ctx, rac.timeout)
+	defer cancel()
+
+	reason := int64(code)
+	_, err := rac.inner.AdministrativelyRevokeCertificate(localCtx, &rapb.AdministrativelyRevokeCertificateRequest{
+		Cert:      cert.Raw,
+		Code:      &reason,
+		AdminName: &adminName,
+	})
+	if err != nil {
+		return unwrapError(err)
+	}
+
+	return nil
+}
+
+// RegistrationAuthorityServerWrapper is the gRPC version of a core.RegistrationAuthority server
+type RegistrationAuthorityServerWrapper struct {
+	inner core.RegistrationAuthority
+}
+
+func NewRegistrationAuthorityServer(inner core.RegistrationAuthority) *RegistrationAuthorityServerWrapper {
+	return &RegistrationAuthorityServerWrapper{inner}
+}
+
+func (ras *RegistrationAuthorityServerWrapper) NewRegistration(ctx context.Context, request *rapb.Registration) (*rapb.Registration, error) {
+	if request == nil || !registrationValid(request) {
+		return nil, errIncompleteRequest
+	}
+	reg, err := pbToRegistration(request)
+	if err != nil {
+		return nil, err
+	}
+	newReg, err := ras.inner.NewRegistration(ctx, reg)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return registrationToPB(newReg)
+}
+
+func (ras *RegistrationAuthorityServerWrapper) NewAuthorization(ctx context.Context, request *rapb.NewAuthorizationRequest) (*rapb.Authorization, error) {
+	if request == nil || !authorizationValid(request.Authz) || request.RegID == nil {
+		return nil, errIncompleteRequest
+	}
+	authz, err := pbToAuthz(request.Authz)
+	if err != nil {
+		return nil, err
+	}
+	newAuthz, err := ras.inner.NewAuthorization(ctx, authz, *request.RegID)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return authzToPB(newAuthz)
+}
+
+func (ras *RegistrationAuthorityServerWrapper) NewCertificate(ctx context.Context, request *rapb.NewCertificateRequest) (*corepb.Certificate, error) {
+	if request == nil || request.Csr == nil || request.RegID == nil {
+		return nil, errIncompleteRequest
+	}
+	csr, err := x509.ParseCertificateRequest(request.Csr)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := ras.inner.NewCertificate(ctx, core.CertificateRequest{CSR: csr, Bytes: request.Csr}, *request.RegID)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	issued := cert.Issued.UnixNano()
+	expires := cert.Expires.UnixNano()
+	return &corepb.Certificate{
+		RegistrationID: &cert.RegistrationID,
+		Serial:         &cert.Serial,
+		Digest:         &cert.Digest,
+		Der:            cert.DER,
+		Issued:         &issued,
+		Expires:        &expires,
+	}, nil
+}
+
+func (ras *RegistrationAuthorityServerWrapper) UpdateRegistration(ctx context.Context, request *rapb.UpdateRegistrationRequest) (*rapb.Registration, error) {
+	if request == nil || !registrationValid(request.Base) || !registrationValid(request.Update) {
+		return nil, errIncompleteRequest
+	}
+	base, err := pbToRegistration(request.Base)
+	if err != nil {
+		return nil, err
+	}
+	update, err := pbToRegistration(request.Update)
+	if err != nil {
+		return nil, err
+	}
+	newReg, err := ras.inner.UpdateRegistration(ctx, base, update)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return registrationToPB(newReg)
+}
+
+func (ras *RegistrationAuthorityServerWrapper) UpdateAuthorization(ctx context.Context, request *rapb.UpdateAuthorizationRequest) (*rapb.Authorization, error) {
+	if request == nil || !authorizationValid(request.Authz) || request.ChallengeIndex == nil || request.Response == nil {
+		return nil, errIncompleteRequest
+	}
+	authz, err := pbToAuthz(request.Authz)
+	if err != nil {
+		return nil, err
+	}
+	chall, err := pbToChallenge(request.Response)
+	if err != nil {
+		return nil, err
+	}
+	newAuthz, err := ras.inner.UpdateAuthorization(ctx, authz, int(*request.ChallengeIndex), chall)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return authzToPB(newAuthz)
+}
+
+func (ras *RegistrationAuthorityServerWrapper) RevokeCertificateWithReg(ctx context.Context, request *rapb.RevokeCertificateWithRegRequest) (*corepb.Empty, error) {
+	if request == nil || request.Cert == nil || request.Code == nil || request.RegID == nil {
+		return nil, errIncompleteRequest
+	}
+	cert, err := x509.ParseCertificate(request.Cert)
+	if err != nil {
+		return nil, err
+	}
+	err = ras.inner.RevokeCertificateWithReg(ctx, *cert, revocation.Reason(*request.Code), *request.RegID)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return &corepb.Empty{}, nil
+}
+
+func (ras *RegistrationAuthorityServerWrapper) DeactivateRegistration(ctx context.Context, request *rapb.Registration) (*corepb.Empty, error) {
+	if request == nil || !registrationValid(request) {
+		return nil, errIncompleteRequest
+	}
+	reg, err := pbToRegistration(request)
+	if err != nil {
+		return nil, err
+	}
+	err = ras.inner.DeactivateRegistration(ctx, reg)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return &corepb.Empty{}, nil
+}
+
+func (ras *RegistrationAuthorityServerWrapper) DeactivateAuthorization(ctx context.Context, request *rapb.Authorization) (*corepb.Empty, error) {
+	if request == nil || !authorizationValid(request) {
+		return nil, errIncompleteRequest
+	}
+	authz, err := pbToAuthz(request)
+	if err != nil {
+		return nil, err
+	}
+	err = ras.inner.DeactivateAuthorization(ctx, authz)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return &corepb.Empty{}, nil
+}
+
+func (ras *RegistrationAuthorityServerWrapper) AdministrativelyRevokeCertificate(ctx context.Context, request *rapb.AdministrativelyRevokeCertificateRequest) (*corepb.Empty, error) {
+	if request == nil || request.Cert == nil || request.Code == nil || request.AdminName == nil {
+		return nil, errIncompleteRequest
+	}
+	cert, err := x509.ParseCertificate(request.Cert)
+	if err != nil {
+		return nil, err
+	}
+	err = ras.inner.AdministrativelyRevokeCertificate(ctx, *cert, revocation.Reason(*request.Code), *request.AdminName)
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return &corepb.Empty{}, nil
+}
--- a/ra/proto/generate.go
+++ b/ra/proto/generate.go
@ -0,0 +1,3 @@
+package proto
+
+//go:generate sh -c "cd ../.. && protoc --go_out=plugins=grpc,Mcore/proto/core.proto=github.com/letsencrypt/boulder/core/proto:. ra/proto/ra.proto"
--- a/ra/proto/ra.pb.go
+++ b/ra/proto/ra.pb.go
@ -0,0 +1,751 @@
+// Code generated by protoc-gen-go.
+// source: ra/proto/ra.proto
+// DO NOT EDIT!
+
+/*
+Package proto is a generated protocol buffer package.
+
+It is generated from these files:
+	ra/proto/ra.proto
+
+It has these top-level messages:
+	Registration
+	Authorization
+	NewAuthorizationRequest
+	NewCertificateRequest
+	UpdateRegistrationRequest
+	UpdateAuthorizationRequest
+	RevokeCertificateWithRegRequest
+	AdministrativelyRevokeCertificateRequest
+*/
+package proto
+
+import proto1 "github.com/golang/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import core "github.com/letsencrypt/boulder/core/proto"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto1.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto1.ProtoPackageIsVersion2 // please upgrade the proto package
+
+type Registration struct {
+	Id               *int64   `protobuf:"varint,1,opt,name=id" json:"id,omitempty"`
+	Key              []byte   `protobuf:"bytes,2,opt,name=key" json:"key,omitempty"`
+	Contact          []string `protobuf:"bytes,3,rep,name=contact" json:"contact,omitempty"`
+	ContactsPresent  *bool    `protobuf:"varint,4,opt,name=contactsPresent" json:"contactsPresent,omitempty"`
+	Agreement        *string  `protobuf:"bytes,5,opt,name=agreement" json:"agreement,omitempty"`
+	InitialIP        []byte   `protobuf:"bytes,6,opt,name=initialIP" json:"initialIP,omitempty"`
+	CreatedAt        *int64   `protobuf:"varint,7,opt,name=createdAt" json:"createdAt,omitempty"`
+	Status           *string  `protobuf:"bytes,8,opt,name=status" json:"status,omitempty"`
+	XXX_unrecognized []byte   `json:"-"`
+}
+
+func (m *Registration) Reset()                    { *m = Registration{} }
+func (m *Registration) String() string            { return proto1.CompactTextString(m) }
+func (*Registration) ProtoMessage()               {}
+func (*Registration) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
+
+func (m *Registration) GetId() int64 {
+	if m != nil && m.Id != nil {
+		return *m.Id
+	}
+	return 0
+}
+
+func (m *Registration) GetKey() []byte {
+	if m != nil {
+		return m.Key
+	}
+	return nil
+}
+
+func (m *Registration) GetContact() []string {
+	if m != nil {
+		return m.Contact
+	}
+	return nil
+}
+
+func (m *Registration) GetContactsPresent() bool {
+	if m != nil && m.ContactsPresent != nil {
+		return *m.ContactsPresent
+	}
+	return false
+}
+
+func (m *Registration) GetAgreement() string {
+	if m != nil && m.Agreement != nil {
+		return *m.Agreement
+	}
+	return ""
+}
+
+func (m *Registration) GetInitialIP() []byte {
+	if m != nil {
+		return m.InitialIP
+	}
+	return nil
+}
+
+func (m *Registration) GetCreatedAt() int64 {
+	if m != nil && m.CreatedAt != nil {
+		return *m.CreatedAt
+	}
+	return 0
+}
+
+func (m *Registration) GetStatus() string {
+	if m != nil && m.Status != nil {
+		return *m.Status
+	}
+	return ""
+}
+
+type Authorization struct {
+	Id               *string           `protobuf:"bytes,1,opt,name=id" json:"id,omitempty"`
+	Identifier       *string           `protobuf:"bytes,2,opt,name=identifier" json:"identifier,omitempty"`
+	RegistrationID   *int64            `protobuf:"varint,3,opt,name=registrationID" json:"registrationID,omitempty"`
+	Status           *string           `protobuf:"bytes,4,opt,name=status" json:"status,omitempty"`
+	Expires          *int64            `protobuf:"varint,5,opt,name=expires" json:"expires,omitempty"`
+	Challenges       []*core.Challenge `protobuf:"bytes,6,rep,name=challenges" json:"challenges,omitempty"`
+	Combinations     []byte            `protobuf:"bytes,7,opt,name=combinations" json:"combinations,omitempty"`
+	XXX_unrecognized []byte            `json:"-"`
+}
+
+func (m *Authorization) Reset()                    { *m = Authorization{} }
+func (m *Authorization) String() string            { return proto1.CompactTextString(m) }
+func (*Authorization) ProtoMessage()               {}
+func (*Authorization) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
+
+func (m *Authorization) GetId() string {
+	if m != nil && m.Id != nil {
+		return *m.Id
+	}
+	return ""
+}
+
+func (m *Authorization) GetIdentifier() string {
+	if m != nil && m.Identifier != nil {
+		return *m.Identifier
+	}
+	return ""
+}
+
+func (m *Authorization) GetRegistrationID() int64 {
+	if m != nil && m.RegistrationID != nil {
+		return *m.RegistrationID
+	}
+	return 0
+}
+
+func (m *Authorization) GetStatus() string {
+	if m != nil && m.Status != nil {
+		return *m.Status
+	}
+	return ""
+}
+
+func (m *Authorization) GetExpires() int64 {
+	if m != nil && m.Expires != nil {
+		return *m.Expires
+	}
+	return 0
+}
+
+func (m *Authorization) GetChallenges() []*core.Challenge {
+	if m != nil {
+		return m.Challenges
+	}
+	return nil
+}
+
+func (m *Authorization) GetCombinations() []byte {
+	if m != nil {
+		return m.Combinations
+	}
+	return nil
+}
+
+type NewAuthorizationRequest struct {
+	Authz            *Authorization `protobuf:"bytes,1,opt,name=authz" json:"authz,omitempty"`
+	RegID            *int64         `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
+	XXX_unrecognized []byte         `json:"-"`
+}
+
+func (m *NewAuthorizationRequest) Reset()                    { *m = NewAuthorizationRequest{} }
+func (m *NewAuthorizationRequest) String() string            { return proto1.CompactTextString(m) }
+func (*NewAuthorizationRequest) ProtoMessage()               {}
+func (*NewAuthorizationRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
+
+func (m *NewAuthorizationRequest) GetAuthz() *Authorization {
+	if m != nil {
+		return m.Authz
+	}
+	return nil
+}
+
+func (m *NewAuthorizationRequest) GetRegID() int64 {
+	if m != nil && m.RegID != nil {
+		return *m.RegID
+	}
+	return 0
+}
+
+type NewCertificateRequest struct {
+	Csr              []byte `protobuf:"bytes,1,opt,name=csr" json:"csr,omitempty"`
+	RegID            *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
+	XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *NewCertificateRequest) Reset()                    { *m = NewCertificateRequest{} }
+func (m *NewCertificateRequest) String() string            { return proto1.CompactTextString(m) }
+func (*NewCertificateRequest) ProtoMessage()               {}
+func (*NewCertificateRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+
+func (m *NewCertificateRequest) GetCsr() []byte {
+	if m != nil {
+		return m.Csr
+	}
+	return nil
+}
+
+func (m *NewCertificateRequest) GetRegID() int64 {
+	if m != nil && m.RegID != nil {
+		return *m.RegID
+	}
+	return 0
+}
+
+type UpdateRegistrationRequest struct {
+	Base             *Registration `protobuf:"bytes,1,opt,name=base" json:"base,omitempty"`
+	Update           *Registration `protobuf:"bytes,2,opt,name=update" json:"update,omitempty"`
+	XXX_unrecognized []byte        `json:"-"`
+}
+
+func (m *UpdateRegistrationRequest) Reset()                    { *m = UpdateRegistrationRequest{} }
+func (m *UpdateRegistrationRequest) String() string            { return proto1.CompactTextString(m) }
+func (*UpdateRegistrationRequest) ProtoMessage()               {}
+func (*UpdateRegistrationRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} }
+
+func (m *UpdateRegistrationRequest) GetBase() *Registration {
+	if m != nil {
+		return m.Base
+	}
+	return nil
+}
+
+func (m *UpdateRegistrationRequest) GetUpdate() *Registration {
+	if m != nil {
+		return m.Update
+	}
+	return nil
+}
+
+type UpdateAuthorizationRequest struct {
+	Authz            *Authorization  `protobuf:"bytes,1,opt,name=authz" json:"authz,omitempty"`
+	ChallengeIndex   *int64          `protobuf:"varint,2,opt,name=challengeIndex" json:"challengeIndex,omitempty"`
+	Response         *core.Challenge `protobuf:"bytes,3,opt,name=response" json:"response,omitempty"`
+	XXX_unrecognized []byte          `json:"-"`
+}
+
+func (m *UpdateAuthorizationRequest) Reset()                    { *m = UpdateAuthorizationRequest{} }
+func (m *UpdateAuthorizationRequest) String() string            { return proto1.CompactTextString(m) }
+func (*UpdateAuthorizationRequest) ProtoMessage()               {}
+func (*UpdateAuthorizationRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} }
+
+func (m *UpdateAuthorizationRequest) GetAuthz() *Authorization {
+	if m != nil {
+		return m.Authz
+	}
+	return nil
+}
+
+func (m *UpdateAuthorizationRequest) GetChallengeIndex() int64 {
+	if m != nil && m.ChallengeIndex != nil {
+		return *m.ChallengeIndex
+	}
+	return 0
+}
+
+func (m *UpdateAuthorizationRequest) GetResponse() *core.Challenge {
+	if m != nil {
+		return m.Response
+	}
+	return nil
+}
+
+type RevokeCertificateWithRegRequest struct {
+	Cert             []byte `protobuf:"bytes,1,opt,name=cert" json:"cert,omitempty"`
+	Code             *int64 `protobuf:"varint,2,opt,name=code" json:"code,omitempty"`
+	RegID            *int64 `protobuf:"varint,3,opt,name=regID" json:"regID,omitempty"`
+	XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *RevokeCertificateWithRegRequest) Reset()                    { *m = RevokeCertificateWithRegRequest{} }
+func (m *RevokeCertificateWithRegRequest) String() string            { return proto1.CompactTextString(m) }
+func (*RevokeCertificateWithRegRequest) ProtoMessage()               {}
+func (*RevokeCertificateWithRegRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{6} }
+
+func (m *RevokeCertificateWithRegRequest) GetCert() []byte {
+	if m != nil {
+		return m.Cert
+	}
+	return nil
+}
+
+func (m *RevokeCertificateWithRegRequest) GetCode() int64 {
+	if m != nil && m.Code != nil {
+		return *m.Code
+	}
+	return 0
+}
+
+func (m *RevokeCertificateWithRegRequest) GetRegID() int64 {
+	if m != nil && m.RegID != nil {
+		return *m.RegID
+	}
+	return 0
+}
+
+type AdministrativelyRevokeCertificateRequest struct {
+	Cert             []byte  `protobuf:"bytes,1,opt,name=cert" json:"cert,omitempty"`
+	Code             *int64  `protobuf:"varint,2,opt,name=code" json:"code,omitempty"`
+	AdminName        *string `protobuf:"bytes,3,opt,name=adminName" json:"adminName,omitempty"`
+	XXX_unrecognized []byte  `json:"-"`
+}
+
+func (m *AdministrativelyRevokeCertificateRequest) Reset() {
+	*m = AdministrativelyRevokeCertificateRequest{}
+}
+func (m *AdministrativelyRevokeCertificateRequest) String() string { return proto1.CompactTextString(m) }
+func (*AdministrativelyRevokeCertificateRequest) ProtoMessage()    {}
+func (*AdministrativelyRevokeCertificateRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor0, []int{7}
+}
+
+func (m *AdministrativelyRevokeCertificateRequest) GetCert() []byte {
+	if m != nil {
+		return m.Cert
+	}
+	return nil
+}
+
+func (m *AdministrativelyRevokeCertificateRequest) GetCode() int64 {
+	if m != nil && m.Code != nil {
+		return *m.Code
+	}
+	return 0
+}
+
+func (m *AdministrativelyRevokeCertificateRequest) GetAdminName() string {
+	if m != nil && m.AdminName != nil {
+		return *m.AdminName
+	}
+	return ""
+}
+
+func init() {
+	proto1.RegisterType((*Registration)(nil), "ra.Registration")
+	proto1.RegisterType((*Authorization)(nil), "ra.Authorization")
+	proto1.RegisterType((*NewAuthorizationRequest)(nil), "ra.NewAuthorizationRequest")
+	proto1.RegisterType((*NewCertificateRequest)(nil), "ra.NewCertificateRequest")
+	proto1.RegisterType((*UpdateRegistrationRequest)(nil), "ra.UpdateRegistrationRequest")
+	proto1.RegisterType((*UpdateAuthorizationRequest)(nil), "ra.UpdateAuthorizationRequest")
+	proto1.RegisterType((*RevokeCertificateWithRegRequest)(nil), "ra.RevokeCertificateWithRegRequest")
+	proto1.RegisterType((*AdministrativelyRevokeCertificateRequest)(nil), "ra.AdministrativelyRevokeCertificateRequest")
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion3
+
+// Client API for RegistrationAuthority service
+
+type RegistrationAuthorityClient interface {
+	NewRegistration(ctx context.Context, in *Registration, opts ...grpc.CallOption) (*Registration, error)
+	NewAuthorization(ctx context.Context, in *NewAuthorizationRequest, opts ...grpc.CallOption) (*Authorization, error)
+	NewCertificate(ctx context.Context, in *NewCertificateRequest, opts ...grpc.CallOption) (*core.Certificate, error)
+	UpdateRegistration(ctx context.Context, in *UpdateRegistrationRequest, opts ...grpc.CallOption) (*Registration, error)
+	UpdateAuthorization(ctx context.Context, in *UpdateAuthorizationRequest, opts ...grpc.CallOption) (*Authorization, error)
+	RevokeCertificateWithReg(ctx context.Context, in *RevokeCertificateWithRegRequest, opts ...grpc.CallOption) (*core.Empty, error)
+	DeactivateRegistration(ctx context.Context, in *Registration, opts ...grpc.CallOption) (*core.Empty, error)
+	DeactivateAuthorization(ctx context.Context, in *Authorization, opts ...grpc.CallOption) (*core.Empty, error)
+	AdministrativelyRevokeCertificate(ctx context.Context, in *AdministrativelyRevokeCertificateRequest, opts ...grpc.CallOption) (*core.Empty, error)
+}
+
+type registrationAuthorityClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewRegistrationAuthorityClient(cc *grpc.ClientConn) RegistrationAuthorityClient {
+	return &registrationAuthorityClient{cc}
+}
+
+func (c *registrationAuthorityClient) NewRegistration(ctx context.Context, in *Registration, opts ...grpc.CallOption) (*Registration, error) {
+	out := new(Registration)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/NewRegistration", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) NewAuthorization(ctx context.Context, in *NewAuthorizationRequest, opts ...grpc.CallOption) (*Authorization, error) {
+	out := new(Authorization)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/NewAuthorization", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) NewCertificate(ctx context.Context, in *NewCertificateRequest, opts ...grpc.CallOption) (*core.Certificate, error) {
+	out := new(core.Certificate)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/NewCertificate", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) UpdateRegistration(ctx context.Context, in *UpdateRegistrationRequest, opts ...grpc.CallOption) (*Registration, error) {
+	out := new(Registration)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/UpdateRegistration", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) UpdateAuthorization(ctx context.Context, in *UpdateAuthorizationRequest, opts ...grpc.CallOption) (*Authorization, error) {
+	out := new(Authorization)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/UpdateAuthorization", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) RevokeCertificateWithReg(ctx context.Context, in *RevokeCertificateWithRegRequest, opts ...grpc.CallOption) (*core.Empty, error) {
+	out := new(core.Empty)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/RevokeCertificateWithReg", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) DeactivateRegistration(ctx context.Context, in *Registration, opts ...grpc.CallOption) (*core.Empty, error) {
+	out := new(core.Empty)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/DeactivateRegistration", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) DeactivateAuthorization(ctx context.Context, in *Authorization, opts ...grpc.CallOption) (*core.Empty, error) {
+	out := new(core.Empty)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/DeactivateAuthorization", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *registrationAuthorityClient) AdministrativelyRevokeCertificate(ctx context.Context, in *AdministrativelyRevokeCertificateRequest, opts ...grpc.CallOption) (*core.Empty, error) {
+	out := new(core.Empty)
+	err := grpc.Invoke(ctx, "/ra.RegistrationAuthority/AdministrativelyRevokeCertificate", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for RegistrationAuthority service
+
+type RegistrationAuthorityServer interface {
+	NewRegistration(context.Context, *Registration) (*Registration, error)
+	NewAuthorization(context.Context, *NewAuthorizationRequest) (*Authorization, error)
+	NewCertificate(context.Context, *NewCertificateRequest) (*core.Certificate, error)
+	UpdateRegistration(context.Context, *UpdateRegistrationRequest) (*Registration, error)
+	UpdateAuthorization(context.Context, *UpdateAuthorizationRequest) (*Authorization, error)
+	RevokeCertificateWithReg(context.Context, *RevokeCertificateWithRegRequest) (*core.Empty, error)
+	DeactivateRegistration(context.Context, *Registration) (*core.Empty, error)
+	DeactivateAuthorization(context.Context, *Authorization) (*core.Empty, error)
+	AdministrativelyRevokeCertificate(context.Context, *AdministrativelyRevokeCertificateRequest) (*core.Empty, error)
+}
+
+func RegisterRegistrationAuthorityServer(s *grpc.Server, srv RegistrationAuthorityServer) {
+	s.RegisterService(&_RegistrationAuthority_serviceDesc, srv)
+}
+
+func _RegistrationAuthority_NewRegistration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Registration)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).NewRegistration(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/NewRegistration",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).NewRegistration(ctx, req.(*Registration))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_NewAuthorization_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NewAuthorizationRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).NewAuthorization(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/NewAuthorization",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).NewAuthorization(ctx, req.(*NewAuthorizationRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_NewCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NewCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).NewCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/NewCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).NewCertificate(ctx, req.(*NewCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_UpdateRegistration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateRegistrationRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).UpdateRegistration(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/UpdateRegistration",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).UpdateRegistration(ctx, req.(*UpdateRegistrationRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_UpdateAuthorization_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpdateAuthorizationRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).UpdateAuthorization(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/UpdateAuthorization",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).UpdateAuthorization(ctx, req.(*UpdateAuthorizationRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_RevokeCertificateWithReg_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RevokeCertificateWithRegRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).RevokeCertificateWithReg(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/RevokeCertificateWithReg",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).RevokeCertificateWithReg(ctx, req.(*RevokeCertificateWithRegRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_DeactivateRegistration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Registration)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).DeactivateRegistration(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/DeactivateRegistration",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).DeactivateRegistration(ctx, req.(*Registration))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_DeactivateAuthorization_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Authorization)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).DeactivateAuthorization(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/DeactivateAuthorization",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).DeactivateAuthorization(ctx, req.(*Authorization))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RegistrationAuthority_AdministrativelyRevokeCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AdministrativelyRevokeCertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).AdministrativelyRevokeCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/ra.RegistrationAuthority/AdministrativelyRevokeCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).AdministrativelyRevokeCertificate(ctx, req.(*AdministrativelyRevokeCertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _RegistrationAuthority_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "ra.RegistrationAuthority",
+	HandlerType: (*RegistrationAuthorityServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "NewRegistration",
+			Handler:    _RegistrationAuthority_NewRegistration_Handler,
+		},
+		{
+			MethodName: "NewAuthorization",
+			Handler:    _RegistrationAuthority_NewAuthorization_Handler,
+		},
+		{
+			MethodName: "NewCertificate",
+			Handler:    _RegistrationAuthority_NewCertificate_Handler,
+		},
+		{
+			MethodName: "UpdateRegistration",
+			Handler:    _RegistrationAuthority_UpdateRegistration_Handler,
+		},
+		{
+			MethodName: "UpdateAuthorization",
+			Handler:    _RegistrationAuthority_UpdateAuthorization_Handler,
+		},
+		{
+			MethodName: "RevokeCertificateWithReg",
+			Handler:    _RegistrationAuthority_RevokeCertificateWithReg_Handler,
+		},
+		{
+			MethodName: "DeactivateRegistration",
+			Handler:    _RegistrationAuthority_DeactivateRegistration_Handler,
+		},
+		{
+			MethodName: "DeactivateAuthorization",
+			Handler:    _RegistrationAuthority_DeactivateAuthorization_Handler,
+		},
+		{
+			MethodName: "AdministrativelyRevokeCertificate",
+			Handler:    _RegistrationAuthority_AdministrativelyRevokeCertificate_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: fileDescriptor0,
+}
+
+func init() { proto1.RegisterFile("ra/proto/ra.proto", fileDescriptor0) }
+
+var fileDescriptor0 = []byte{
+	// 632 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x9c, 0x54, 0x4d, 0x6f, 0xd3, 0x40,
+	0x10, 0x8d, 0xeb, 0x7c, 0xd4, 0x93, 0x34, 0x69, 0x06, 0xda, 0xba, 0x41, 0x14, 0xd7, 0xbd, 0xf8,
+	0x80, 0x52, 0xa9, 0x1c, 0x10, 0xe2, 0x42, 0x69, 0x10, 0x4a, 0x85, 0xa2, 0x2a, 0x12, 0x42, 0x20,
+	0x21, 0xb1, 0xb5, 0x87, 0x64, 0xd5, 0xc4, 0x0e, 0xbb, 0x9b, 0xb6, 0xe9, 0x1f, 0x41, 0xe2, 0xca,
+	0x1f, 0x45, 0xde, 0x38, 0x4d, 0x6d, 0xb7, 0x10, 0x71, 0x5b, 0xcf, 0xce, 0xbc, 0x79, 0xef, 0xed,
+	0x93, 0xa1, 0x29, 0xd8, 0xe1, 0x44, 0x44, 0x2a, 0x3a, 0x14, 0xac, 0xad, 0x0f, 0xb8, 0x26, 0x58,
+	0x6b, 0xcb, 0x8f, 0x04, 0x25, 0x17, 0xf1, 0x71, 0x7e, 0xe5, 0xfe, 0x32, 0xa0, 0xd6, 0xa7, 0x01,
+	0x97, 0x4a, 0x30, 0xc5, 0xa3, 0x10, 0x01, 0xd6, 0x78, 0x60, 0x1b, 0x8e, 0xe1, 0x99, 0x58, 0x05,
+	0xf3, 0x82, 0x66, 0xf6, 0x9a, 0x63, 0x78, 0x35, 0x6c, 0x40, 0xc5, 0x8f, 0x42, 0xc5, 0x7c, 0x65,
+	0x9b, 0x8e, 0xe9, 0x59, 0xb8, 0x03, 0x8d, 0xa4, 0x20, 0xcf, 0x04, 0x49, 0x0a, 0x95, 0x5d, 0x74,
+	0x0c, 0x6f, 0x1d, 0x9b, 0x60, 0xb1, 0x81, 0x20, 0x1a, 0xc7, 0xa5, 0x92, 0x63, 0x78, 0x56, 0x5c,
+	0xe2, 0x21, 0x57, 0x9c, 0x8d, 0xba, 0x67, 0x76, 0x59, 0xe3, 0x35, 0xc1, 0xf2, 0x05, 0x31, 0x45,
+	0xc1, 0xb1, 0xb2, 0x2b, 0x7a, 0x5f, 0x1d, 0xca, 0x52, 0x31, 0x35, 0x95, 0xf6, 0x7a, 0x3c, 0xe5,
+	0xfe, 0x36, 0x60, 0xe3, 0x78, 0xaa, 0x86, 0x91, 0xe0, 0x37, 0x59, 0x76, 0x16, 0x22, 0x00, 0x0f,
+	0x28, 0x54, 0xfc, 0x3b, 0x27, 0xa1, 0x49, 0x5a, 0xb8, 0x0d, 0x75, 0x71, 0x47, 0x4d, 0xb7, 0x63,
+	0x9b, 0x19, 0xe4, 0xa2, 0xee, 0x6b, 0x40, 0x85, 0xae, 0x27, 0x5c, 0x90, 0xd4, 0x04, 0x4d, 0x3c,
+	0x00, 0xf0, 0x87, 0x6c, 0x34, 0xa2, 0x70, 0x40, 0xd2, 0x2e, 0x3b, 0xa6, 0x57, 0x3d, 0x6a, 0xb4,
+	0xb5, 0x51, 0x27, 0x8b, 0x3a, 0x3e, 0x86, 0x9a, 0x1f, 0x8d, 0xcf, 0x79, 0xa8, 0xc1, 0xa5, 0x66,
+	0x5d, 0x73, 0x4f, 0x61, 0xa7, 0x47, 0x57, 0x29, 0x9e, 0x7d, 0xfa, 0x31, 0x25, 0xa9, 0xd0, 0x81,
+	0x12, 0x9b, 0xaa, 0xe1, 0x8d, 0x66, 0x5c, 0x3d, 0x6a, 0xb6, 0x05, 0x6b, 0xa7, 0x05, 0x6d, 0x40,
+	0x49, 0xd0, 0xa0, 0xdb, 0xd1, 0xfc, 0x4d, 0xf7, 0x05, 0x6c, 0xf5, 0xe8, 0xea, 0x84, 0x44, 0xac,
+	0xca, 0x67, 0x8a, 0x16, 0x48, 0x55, 0x30, 0x7d, 0x29, 0x34, 0x4e, 0x2d, 0x3b, 0xf4, 0x15, 0x76,
+	0x3f, 0x4e, 0x02, 0xdd, 0xbc, 0x94, 0xbe, 0x18, 0xdc, 0x83, 0xe2, 0x39, 0x93, 0x94, 0x30, 0xd8,
+	0x8c, 0x19, 0xa4, 0xde, 0xdb, 0x81, 0xf2, 0x54, 0x0f, 0x6b, 0xb0, 0x7b, 0x3a, 0xdc, 0x19, 0xb4,
+	0xe6, 0xf0, 0xff, 0x29, 0x71, 0x1b, 0xea, 0xb7, 0xd6, 0x76, 0xc3, 0x80, 0xae, 0xe7, 0xb4, 0x71,
+	0x1f, 0xd6, 0x05, 0xc9, 0x49, 0x14, 0x4a, 0xd2, 0xaf, 0x94, 0x37, 0xdc, 0xfd, 0x00, 0xcf, 0xfa,
+	0x74, 0x19, 0x5d, 0xd0, 0x1d, 0x47, 0x3e, 0x71, 0x35, 0xec, 0xd3, 0x60, 0xb1, 0xbf, 0x06, 0x45,
+	0x9f, 0x84, 0x4a, 0x9c, 0x89, 0xbf, 0xa2, 0x80, 0x92, 0x0d, 0xb7, 0x3e, 0xe9, 0x10, 0xb8, 0x9f,
+	0xc1, 0x3b, 0x0e, 0xc6, 0x3c, 0x4c, 0xa4, 0x5d, 0xd2, 0x68, 0x96, 0x43, 0x5f, 0x05, 0x36, 0xce,
+	0x77, 0x8c, 0xd3, 0x63, 0xe3, 0x39, 0x73, 0xeb, 0xe8, 0x67, 0x09, 0xb6, 0xee, 0x9a, 0x96, 0x38,
+	0xa0, 0x66, 0xf8, 0x12, 0x1a, 0x3d, 0xba, 0x4a, 0x59, 0x9e, 0xb3, 0xb8, 0x95, 0x37, 0xbd, 0x80,
+	0x1d, 0xd8, 0xcc, 0xc6, 0x0a, 0x9f, 0xc4, 0x7d, 0x0f, 0x84, 0xad, 0x95, 0xb7, 0xde, 0x2d, 0xe0,
+	0x1b, 0xa8, 0xa7, 0x03, 0x85, 0xbb, 0x09, 0x46, 0x5e, 0x74, 0xab, 0x99, 0xf8, 0xbf, 0xbc, 0x71,
+	0x0b, 0xf8, 0x1e, 0x30, 0x9f, 0x2e, 0x7c, 0x1a, 0xa3, 0x3c, 0x98, 0xba, 0x7b, 0x05, 0x9d, 0xc2,
+	0xa3, 0x7b, 0x72, 0x84, 0x7b, 0x4b, 0xa4, 0xd5, 0x65, 0xf5, 0xc0, 0x7e, 0x28, 0x18, 0x78, 0x30,
+	0xdf, 0xfd, 0xd7, 0xd8, 0xb4, 0xaa, 0x73, 0xa9, 0xef, 0xc6, 0x13, 0x35, 0x73, 0x0b, 0xf8, 0x0a,
+	0xb6, 0x3b, 0xc4, 0x7c, 0xc5, 0x2f, 0xb3, 0x42, 0xf3, 0x8f, 0x95, 0x19, 0x7d, 0x0d, 0x3b, 0xcb,
+	0xd1, 0xb4, 0xb4, 0x3c, 0xf5, 0xec, 0xf0, 0x37, 0xd8, 0xff, 0x67, 0x24, 0xf1, 0xb9, 0x86, 0x59,
+	0x31, 0xb9, 0x99, 0x0d, 0x6f, 0x2b, 0x5f, 0x4a, 0xfa, 0x4f, 0xff, 0x27, 0x00, 0x00, 0xff, 0xff,
+	0xfc, 0x41, 0x7b, 0x84, 0x18, 0x06, 0x00, 0x00,
+}
--- a/ra/proto/ra.proto
+++ b/ra/proto/ra.proto
@ -0,0 +1,72 @@
+syntax = "proto2";
+
+package ra;
+option go_package = "proto";
+
+import "core/proto/core.proto";
+
+service RegistrationAuthority {
+        rpc NewRegistration(Registration) returns (Registration) {}
+        rpc NewAuthorization(NewAuthorizationRequest) returns (Authorization) {}
+        rpc NewCertificate(NewCertificateRequest) returns (core.Certificate) {}
+        rpc UpdateRegistration(UpdateRegistrationRequest) returns (Registration) {}
+        rpc UpdateAuthorization(UpdateAuthorizationRequest) returns (Authorization) {}
+        rpc RevokeCertificateWithReg(RevokeCertificateWithRegRequest) returns (core.Empty) {}
+        rpc DeactivateRegistration(Registration) returns (core.Empty) {}
+        rpc DeactivateAuthorization(Authorization) returns (core.Empty) {}
+        rpc AdministrativelyRevokeCertificate(AdministrativelyRevokeCertificateRequest) returns (core.Empty) {}
+}
+
+message Registration {
+        optional int64 id = 1;
+        optional bytes key = 2;
+        repeated string contact = 3;
+        optional bool contactsPresent = 4;
+        optional string agreement = 5;
+        optional bytes initialIP = 6;
+        optional int64 createdAt = 7; // Unix timestamp (nanoseconds)
+        optional string status = 8;
+}
+
+message Authorization {
+        optional string id = 1;
+        optional string identifier = 2;
+        optional int64 registrationID = 3;
+        optional string status = 4;
+        optional int64 expires = 5; // Unix timestamp (nanoseconds)
+        repeated core.Challenge challenges = 6;
+        optional bytes combinations = 7;
+}
+
+message NewAuthorizationRequest {
+        optional Authorization authz = 1;
+        optional int64 regID = 2;
+}
+
+message NewCertificateRequest {
+        optional bytes csr = 1;
+        optional int64 regID = 2;
+}
+
+message UpdateRegistrationRequest {
+        optional Registration base = 1;
+        optional Registration update = 2;
+}
+
+message UpdateAuthorizationRequest {
+        optional Authorization authz = 1;
+        optional int64 challengeIndex = 2;
+        optional core.Challenge response = 3;
+}
+
+message RevokeCertificateWithRegRequest {
+        optional bytes cert = 1;
+        optional int64 code = 2;
+        optional int64 regID = 3;
+}
+
+message AdministrativelyRevokeCertificateRequest {
+        optional bytes cert = 1;
+        optional int64 code = 2;
+        optional string adminName = 3;
+}
--- a/test/config-next/admin-revoker.json
+++ b/test/config-next/admin-revoker.json
@ -2,13 +2,16 @@
  "revoker": {
    "dbConnectFile": "test/secrets/revoker_dburl",
    "maxDBConns": 1,
+    "raService": {
+      "serverAddresses": ["boulder:9094"],
+      "serverIssuerPath": "test/grpc-creds/minica.pem",
+      "clientCertificatePath": "test/grpc-creds/boulder-client/cert.pem",
+      "clientKeyPath": "test/grpc-creds/boulder-client/key.pem",
+      "timeout": "90s"
+    },
    "amqp": {
      "serverURLFile": "test/secrets/amqp_url",
      "insecure": true,
-      "RA": {
-        "server": "RA.server",
-        "rpcTimeout": "15s"
-      },
      "SA": {
        "server": "SA.server",
        "rpcTimeout": "15s"
--- a/test/config-next/ra.json
+++ b/test/config-next/ra.json
@ -32,6 +32,15 @@
      "clientKeyPath": "test/grpc-creds/boulder-client/key.pem",
      "timeout": "10s"
    },
+    "grpc": {
+      "address": "boulder:9094",
+      "clientIssuerPath": "test/grpc-creds/minica.pem",
+      "serverCertificatePath": "test/grpc-creds/boulder-server/cert.pem",
+      "serverKeyPath": "test/grpc-creds/boulder-server/key.pem",
+      "clientNames": [
+        "boulder-client"
+      ]
+    },
    "amqp": {
      "serverURLFile": "test/secrets/amqp_url",
      "insecure": true,
--- a/test/config-next/wfe.json
+++ b/test/config-next/wfe.json
@ -13,13 +13,16 @@
    "acceptRevocationReason": true,
    "allowAuthzDeactivation": true,
    "debugAddr": "localhost:8000",
+    "raService": {
+      "serverAddresses": ["boulder:9094"],
+      "serverIssuerPath": "test/grpc-creds/minica.pem",
+      "clientCertificatePath": "test/grpc-creds/boulder-client/cert.pem",
+      "clientKeyPath": "test/grpc-creds/boulder-client/key.pem",
+      "timeout": "10s"
+    },
    "amqp": {
      "server": "amqp://guest:guest@localhost:5673",
      "insecure": true,
-      "RA": {
-        "server": "RA.server",
-        "rpcTimeout": "15s"
-      },
      "SA": {
        "server": "SA.server",
        "rpcTimeout": "15s"