Secure token distribution

What is claimed is: 1. A computer-implemented method comprising: receiving, at a registration authority computer, a certificate signing request from a token requestor computer associated with a token requestor, with respect to a user who requested an interaction with the token requestor; in response to the receiving the certificate signing request, authenticating, by the registration authority computer, the token requestor; adding an indication to the certificate signing request that the registration authority computer has authenticated the token requestor; transmitting, by the registration authority computer to a certificate authority computer, the certificate signing request comprising the indication, the certificate authority computer being remote with respect to the registration authority computer; receiving, by the registration authority computer from the certificate authority computer, a token requestor identifier (ID) for the token requestor; transmitting, by the registration authority computer, the token requestor ID to the token requestor computer; receiving, by the registration authority computer from the token requestor computer, an authorization request message comprising a token obtained by the token requestor by using the token requestor ID, wherein the token includes a payment account identifier as a substitute for an account number of the user who requested the interaction with the token requestor, wherein the payment account identifier is provided in the authorization request message in place of the account number of the user; and transmitting, by the registration authority computer to the certificate authority computer, the authorization request message comprising the token, wherein the receiving the authorization request message causes the certificate authority computer to convert the payment account identifier of the token to the account number of the user, wherein the token is a first token and the method further comprises: transmitting, by the registration authority computer to the certificate authority computer, a token request message using the first token; receiving, by the registration authority computer from the certificate authority computer, a second token; and transmitting, by the registration authority computer to the token requestor computer, the second token, wherein receiving the certificate signing request causes the certificate authority computer to: verify that the registration authority computer authenticated the token requestor based at least in part on determining that an identifier associated with the registration authority computer is included in the certificate signing request; in response to the verifying the registration authority computer authenticated the token requestor, generate the token requestor ID for the token requestor; and store a mapping between the token requestor ID and a public key generated by and received from the token requestor computer. 2. The computer-implemented method of claim 1 , wherein the authenticating the token requestor comprises executing a know-your-customer process to authenticate the token requestor. 3. The computer-implemented method of claim 1 , further comprising: prior to the receiving by the registration authority computer from the token requestor computer the authorization request message, receiving, by the registration authority computer from the token requestor computer, a token provisioning request message comprising the token requestor ID, a digital signature generated by the token requestor computer using the token requestor ID, and information indicating that a message is the token provisioning request message; transmitting, by the registration authority computer, the token provisioning request message to the certificate authority computer, wherein receiving the token provisioning request message causes the certificate authority computer to retrieve the public key of the token requestor ID and verify the digital signature using the public key; in response to the digital signature being verified, receiving, by the registration authority computer from the certificate authority computer, a token response message comprising the first token issued to the token requestor and information indicating that a message is the token response message responsive to the token provisioning request message; and transmitting the first token to the token requestor computer. 4. The computer-implemented method of claim 3 , wherein the token provisioning request message further comprises an identifier associated with the registration authority computer, a terminal identifier, a time stamp, and a message counter. 5. The computer-implemented method of claim 3 , further comprising notifying an authorization computer that the first token has been provisioned to the token requestor, the authorization computer being associated with the account number of the user. 6. The computer-implemented method of claim 3 , wherein receiving the token provisioning request message causes the certificate authority computer to decrypt the digital signature to generate decrypted information and compare the decrypted information to one or more data fields of the token provisioning request message. 7. The computer-implemented method of claim 1 , further comprising: receiving, by the registration authority computer, an authorization response message corresponding to the authorization request message; and transmitting, by the registration authority computer to the token requestor computer, the authorization response message. 8. A registration authority computer comprising: a processor; and a non-transitory computer readable storage medium storing code that, when executed by the processor, causes the processor to perform a method including: receiving a certificate signing request from a token requestor computer associated with a token requestor, with respect to a user who requested an interaction with the token requestor; in response to the receiving the certificate signing request, authenticating the token requestor; adding an indication to the certificate signing request that the token requestor is authenticated; transmitting, to a certificate authority computer, the certificate signing request comprising the indication, the certificate authority computer being remote with respect to the registration authority computer; receiving, from the certificate authority computer, a token requestor identifier (ID) for the token requestor; transmitting the token requestor ID to the token requestor computer; receiving, from the token requestor computer, an authorization request message comprising a token obtained by the token requestor by using the token requestor ID, wherein the token includes a payment account identifier as a substitute for an account number of the user who requested the interaction with the token requestor, wherein the payment account identifier is provided in the authorization request message in place of the account number of the user; and transmitting, to the certificate authority computer, the authorization request message comprising the token, wherein the receiving the authorization request message causes the certificate authority computer to convert the payment account identifier of the token to the account number of the user, wherein the token is a first token and the method further includes: transmitting, to the certificate authority computer, a token request message using the first token; receiving, from the certificate authority computer, a second token; and transmitting, to the token requestor computer, the second token, wherein receiving the certificate signing request causes the certificate authority computer to: verify that the registration authority co