End Entities

An end entity is the owner of a certificate. This is the PKI participant for whom the digital certificate is issued for. For example, if the certificate is a web server certificate, the owner is a web server and correspondingly the end entity is this web server. In case of an email certificate the end entity is the person, to whom the email belongs to. An entity may even be a more "abstract" object like a (micro)service or a process.

End entities are bound to a realm, meaning that a specific end entity exists and can be used only within the scope of its realm. A realm can have multiple end entities.

1. Purpose of end entities

End entities represent an entity outside the boundaries of the PKI like a web server or a person. Modelling end entities in the RA application gives the possibility to manage and work with such logical entities within the PKI system instead of certificates. The advantage is that it provides the users of the PKI with a natural rather than technical method to manage and view the PKI.

For example, a web server requests a certificate via ACME three times. Using end entities it is possible to represent this server as an entity which has three certificates attached to it, instead of just having three certificates within the PKI that are not related to this web server, apart that they share the same domain name. Using end entities this relation is explicit rather than implicit. In the RA it is mandatory to attach all actions and certificates to an end entity.

2. End entity alias

An end entity needs a certain characteristic to be specified as such. For example, in the case of web server this characteristic could be the domain name of the server. This characteristic is the so-called alias. This is an identifier which is used to identify this end entity.

There are cases when it is not possible to provide the alias of the end entity and therefore create it or assign a certificate to it is not obvious. Typical example is the request for certificate by an end entity via a protocol like ACME or EST. It is not possible to provide this type of information within the protocol, at least in a standard conform way. Because an end entity always requires a unique alias a mechanism to create aliases for end entities in the system is necessary. This mechanism utilizes the so-called strategies, with each strategy providing a method to create an alias for the end entity. The different strategies are described in Chapter 3.

The alias of an end entity is set via the following methods and cannot be modified afterwards:

  • Through manual setting. There is the option in the details page of an end entity, if the end entity’s alias is not yet set, to manually choose its strategy, and the value to be set as an alias. This bypasses the automatic construction based on the strategy’s algorithm and instead accepts any value the user provides.

  • During Certificate Request Creation, where the end entity and a policy are combined. The system constructs the alias from the strategy related to the policy If the alias does not exist then an end entity is created. If the alias exists then the certificate is attached to this end entity.

End entities are mandatory. An alias is used to identify an end entity. Strategies are used to create an alias.

3. End Entity Alias Strategy

RA Operators can choose among the following end entity alias strategies.

COMMON NAME

This strategy tries to construct the alias using a common name from all the available input data. The first choice is always the common name field of the end entity itself. If no end entity is known during calculation (for example when searching for an end entity based on the alias), then a PKCS10 Request must be available and its subject common name field is used. If neither an end entity and a PKCS10 Request are available, then this strategy cannot produce a result, and the calculation ends with an error.

EMAIL

This strategy tries to construct the alias using an email from all the available input data. The first choice is always the email field of the end entity itself. If no end entity is known during calculation (for example when searching for an end entity based on the alias), or it has no email, then a PKCS10 Request is analyzed. First the Email field of the PKCS10 subject is tried and if unavailable, the email field from the PKCS10 Subject Alternative Name (SAN) Extension is used. If nothing is found, then this strategy cannot produce a result, and the calculation ends with an error.

PKCS10 SUBJECT CN

This strategy tries to construct the alias from the PKCS10 Request subject common name field. If it is not found, then this strategy cannot produce a result, and the calculation ends with an error.

PKCS10 SUBJECT EMAIL

This strategy tries to construct the alias from the PKCS10 Request subject email field. If it is not found, then this strategy cannot produce a result, and the calculation ends with an error.

PKCS10 SUBJECT SAN EMAIL

This strategy tries to construct the alias from the PKCS10 Request Subject Alternative Name (SAN) Extension email field. If it is not found, then this strategy cannot produce a result, and the calculation ends with an error.

PKCS10 SUBJECT

This strategy tries to construct the alias from the complete PKCS10 Request subject in binary form. If it is not found, then this strategy cannot produce a result, and the calculation ends with an error.

PKCS10 CN SAN SET

This strategy extracts all the common names from the PKCS10 Request subject, all the domain names and ips from the PKCS10 Request Subject Alternative Name (SAN) extension and combines them in the following form: {"cns":["cn1", "cn2],"dns":["dn1.example.com", "dn2.example.com"],"ips":["192.168.0.1", "192.168.0.2"]}. If no PKCS10 Request is available, or none of the used values exist, then this strategy cannot produce a result, and the calculation ends with an error.

END ENTITY DATA SET

This strategy tries to construct the alias using all available input data. It is commonly used together with CMP and the CertTemplate. In the CertTemplate additional data apart from email, domain names etc. are transferred and are stored in the end entity as key-pair values.

4. View End Entities

Available end entities for a realm can be viewed and searched for in the End Entities page. An option to export selected rows as Comma Separated Values (CSV) is available via the Actions → Export selected as CSV, along with and option to Add password to the selected End Entities. There is also a filter that an admin can use to view only the archived end entities. This filter can be triggered by pressing the Show Archived button in the Actions dropdown list.

5. Create End Entity

The New End Entity page can be reached via the side menu or via the Create… quick access button at the top right.

Here, some of the most common X.509 certificate components can be defined like: Common Name (CN), Country (C), E-Mail (E), Organisation (O), Organisational Unit (OU). Only Common Name (CN) is required, the rest are optional. Additionally, a list of domain names, and a list of ip addresses can be provided, for inclusion in the Subject Alternative Name (SAN) extension. An optional External ID can be given to the created end entity that can be used to store additional identification information. Lastly, the list Custom CA Parameters can be provided to pass additional certificate template parameters (ident data) to MTG CARA (Example id.data=custom-data).

6. Modify End Entity

End entity modification is not supported.

7. Archive End Entity

A user can archive or unarchive a policy by entering the End Entities/Show tab. There, by pressing the end entity’s name, the user will be redirected to the end entity details page. By pressing Archive or Unarchive button the end entity will be archived or unarchived accordingly. Batch Archive and Batch Undo-Archive actions are also supported by selecting the checkboxes of the desired end entities and choosing the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown. Upon end entity archive all child entities of the end entity will be archived too. Child entities of end entities are considered its certificates and certificate requests. Upon unarchive, end entity’s child entities are not affected. End entities associated with an active certificate can not be archived. Archived end entities, that belong to an archived realm can not be unarchived. Archived end entities can not be used for new operations.

8. Delete End Entity

A user can delete an archived end entity through the End Entity page, the Show Entities Table or the Administration/Archived Data Removal tab. In the End Entity page after archiving the entity a Delete button will appear. In the Show Entities Table by pressing Actions→Show Archived the table will show the archived entities, and here the end entities can be selected, and through Actions→Delete all selected they can be deleted. Furthermore, the user can delete one End Entity at a time by pressing the row actions button and then Delete End Entity. Finally, in the Choose entity to delete dropdown choose End Entities. As an extra safeguard there is the option to restrict the archived records that are going to be deleted by the date on which they were archived. In the Choose date calendar select the date, before which the records should have been archived, in order to be deleted with this action and press Delete. Upon deletion, all archived certificates, certificate requests and all end entity passwords linked to the deleted end entities will also be deleted.

9. End Entity Password

For one or more existing end entities, a password can be generated. This password, together with the end entity ID, enables the end entity to authenticate itself to MTG Certificate Lifecycle Manager Server. Each password is bound to an existing policy and enables the end entities to issue certificates for themselves using the assigned policy. For each policy only one password can be created per end entity. Note that multiple end entities can share a common password.

9.1. View End Entity Password

In order to view the existing end entity passwords per policy navigate to the specific end entity details page and press the Manage Passwords button. Then, you will be navigated to a page where all the existing passwords will be shown in a paginated form. Each row represents a password for the policy shown. There is an option through the actions to view the password details, by pressing the View Details button which you will be navigated to the End Entity Password Details page. By pressing a Policy ID or Policy Name a redirection to the Policy Details page is being made and by pressing the End Entity ID a redirection to the End Entity Details page is being made.

9.2. Create End Entity Password

In order to create a new password for an end entity navigate to the specific end entity details page and press the Manage Passwords, then press the Add Password button which will navigate you to a page where you can select the desired policy for which the specific end entity does not already have a password and press Generate Password. This will create a new confidential password which you should store in a secure place. Batch password creation is also supported by selecting the checkboxes of the desired end entities and choosing the Add Password button in the Actions dropdown. This will also navigate you to the same page where you can select the desired policy following the same procedure as described above.

This password won’t be shown again.

9.3. Reset End Entity Password

An end entity password can be reset by navigating to the specific end entity details page and by pressing the Manage Passwords button. There, the option to reset each password row is available in the dropdown actions list, and it can be triggered by pressing the Reset End-Entity Password action. This action will generate automatically a new password for the same end entity and policy, and then it will navigate you to another page where you can view this password and copy it to store it in a secure place.

This password won’t be shown again.

9.4. Delete End Entity Password

An end entity password can be deleted by navigating to the specific end entity details page and by pressing the Manage Passwords button. There, the option to delete each password row is available in the dropdown actions list, and it can be triggered by pressing the Delete End-Entity Password action.

10. Multiple End Entities creation

By pressing Add Multiple tab, a panel with a file upload field is shown. A template with instructions is available, in which a user can add multiple certificates for creation. On successful creation the user is redirected to the Create End Entity Password page, in order to create the same password for the created end entities.