End Entities Overview
This Overview covers the concepts of End Entities in the following sections. For more information about how to manage End Entities, see End Entities Operations.
An end entity is the basic holder and owner of a certificate, whether this is an actual person, a device, a subCA or a component like an OCSP responder. An end entity is always owned by a Certificate Authority, and the certificates issued to it are defined by a single Certificate Profile. In order for administrators to limit the enrollment options for users (predefining, forbidding or requiring certain fields), each end entity also conforms to an End Entity Profile. Multiple end entities can share the same profile, so it can be set to be available for multiple CAs and multiple certificate profiles.
The End Entity Profile Fields are defined on their own page, and besides the constraints mentioned previously the values can also be restricted via regular expressions. There are some use cases where the CA should produce the key pairs on the user's behalf (instead of just signing a CSR), and in those, the key pair can be saved (encrypted in PKCS#12) in the database, allowing later key recovery.
End Entity Statuses
End entities have a current status, which denotes what that end entity can currently do.
Event Name | Database Value | Description |
---|---|---|
STATUS_NEW | 10 | End Entity has just been created, or has been set up for renewal. |
STATUS_FAILED | 11 | Certificate generation for this End Entity has failed. |
STATUS_INITIALIZED | 20 | Legacy value, no longer used in EJBCA. |
STATUS_INPROCESS | 30 | Legacy value, no longer used in EJBCA. |
STATUS_GENERATED | 40 | Set when a certificate has been issued for this End Entity. |
STATUS_REVOKED | 50 | End Entity is set as revoked. |
STATUS_HISTORICAL | 60 | Legacy value, no longer used in EJBCA. |
STATUS_KEYREVOVERY | 70 | End Entity has been set up for key recovery by an administrator. |
STATUS_WAITINGFORADDAPPROVAL | 80 | End Entity is awaiting approval before creation. Never stored in the database but used transiently for status requests. |