This Overview covers the concepts of End Entities in the following sections. For more information about how to manage End Entities, see End Entities Operations.

An end entity is the basic holder and owner of a certificate, whether this is an actual person, a device, a subCA or a component like an OCSP responder. An end entity is always owned by a Certificate Authority, and the certificates issued to it are defined by a single Certificate Profile. In order for administrators to limit the enrollment options for users (predefining, forbidding or requiring certain fields), each end entity also conforms to an End Entity Profile. Multiple end entities can share the same profile, so it can be set to be available for multiple CAs and multiple certificate profiles.

The End Entity Profile Fields are defined on their own page, and besides the constraints mentioned previously the values can also be restricted via regular expressions. There are some use cases where the CA should produce the key pairs on the user's behalf (instead of just signing a CSR), and in those, the key pair can be saved (encrypted in PKCS#12) in the database, allowing later key recovery.

End Entity Statuses

End entities have a current status, which denotes what that end entity can currently do. 

Event NameDatabase ValueDescription

STATUS_NEW

10End Entity has just been created, or has been set up for renewal. 
STATUS_FAILED11Certificate generation for this End Entity has failed. 
STATUS_INITIALIZED20Legacy value, no longer used in EJBCA.
STATUS_INPROCESS30Legacy value, no longer used in EJBCA.
STATUS_GENERATED40Set when a certificate has been issued for this End Entity.
STATUS_REVOKED50End Entity is set as revoked.
STATUS_HISTORICAL60Legacy value, no longer used in EJBCA.
STATUS_KEYREVOVERY70End Entity has been set up for key recovery by an administrator.

STATUS_WAITINGFORADDAPPROVAL

80End Entity is awaiting approval before creation. Never stored in the database but used transiently for status requests.