This Overview covers the concepts of End Entities in the following sections. For more information about how to manage End Entities, see End Entities Operations.

An end entity is the basic holder and owner of a certificate, whether this is an actual person, a device, a subCA or a component like an OCSP responder. An end entity is always owned by a Certificate Authority , and the certificates issued to it are defined by a single Certificate Profile . In order for administrators to limit the enrollment options for users (predefining, forbidding or requiring certain fields), each end entity also conforms to an End Entity Profile. Multiple end entities can share the same profile, so it can be set to be available for multiple CAs and multiple certificate profiles.

The End Entity Profile Fields are defined on their own page, and besides the constraints mentioned previously the values can also be restricted via regular expressions. There are some use cases where the CA should produce the key pairs on the user's behalf (instead of just signing a CSR), and in those, the key pair can be saved (encrypted in PKCS#12) in the database, allowing later key recovery.

End Entity Statuses

End entities have a current status, which denotes what that end entity can currently do.

Event Name	Database Value	Description
STATUS_NEW	10	End Entity has just been created, or has been set up for renewal.
STATUS_FAILED	11	Certificate generation for this End Entity has failed.
STATUS_INITIALIZED	20	Legacy value, no longer used in EJBCA.
STATUS_INPROCESS	30	Legacy value, no longer used in EJBCA.
STATUS_GENERATED	40	Set when a certificate has been issued for this End Entity.
STATUS_REVOKED	50	End Entity is set as revoked.
STATUS_HISTORICAL	60	Legacy value, no longer used in EJBCA.
STATUS_KEYREVOVERY	70	End Entity has been set up for key recovery by an administrator.
STATUS_WAITINGFORADDAPPROVAL	80	End Entity is awaiting approval before creation. Never stored in the database but used transiently for status requests.