End Entities

End entities represent an entity outside the boundaries of the PKI. Such entities could be web servers or persons. Modelling end entities within the MTG-CLM application provides the possibility to manage and work with such logical entities within the PKI system (instead of certificates). The advantage is that users possess a more natural than technical method to manage and view the PKI.

For example, a web server requests a certificate via ACME three times. Using end entities it is possible to represent this server as an entity with three certificates attached to it. Otherwise, there would be just three certificates within the PKI which are not related to this web server, and with the domain name as their sole common characteristic.

Using end entities this relation becomes explicit rather than implicit. In the MTG-CLM it is mandatory to attach all actions and certificates to an end entity.

Available end entities for a realm can be viewed and searched for in the End Entities page. An option to export selected rows as Comma Separated Values (CSV) is available via the Actions → Export selected as CSV, along with an option to Add password to the selected End Entities. There is also a filter an admin can use, to view archived end entities only. This filter can be triggered by pressing the Show Archived button in the Actions dropdown list.

The New End Entity page can be reached via the side menu or via the Create… quick access button at the top right.

Here, some of the most common X.509 certificate components can be defined. For example; Common Name (CN), Country (C), E-Mail (E), Organisation (O), Organisational Unit (OU). Only Common Name (CN) is required, the rest are optional. Additionally, a list of domain names and a list of ip addresses can be provided, to be included in the Subject Alternative Name (SAN) extension. An optional External ID can be given to the created end entity. It can be used to store additional identification information. Lastly, the list Custom CA Parameters can be provided, to pass additional certificate template parameters (ident data) to MTG CARA (E.g., id.data=custom-data).

End entity modification is not supported.

A user can archive or unarchive a policy by entering the End Entities/Show tab. There, by pressing the end entity’s name, the user will be redirected to the end entity details page. By pressing Archive or Unarchive button the end entity will be archived or unarchived accordingly. Batch Archive and Batch Undo-Archive actions are also supported, by selecting the checkboxes of the desired end entities and choosing the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown list. Upon end entity archiving, all child entities of the end entity will be archived too. Child entities of end entities are considered their certificates and certificate requests. Upon un-archiving, end entities' child entities are not affected. End entities associated with an active certificate can not be archived. Archived end entities, belonging to an archived realm can not be unarchived. Archived end entities can not be used for new operations.

A user can delete an archived end entity through the End Entity page, the Show Entities Table or the Administration/Archived Data Removal tab. In the End Entity page, after archiving the entity, a Delete button will appear. In the Show Entities Table, by pressing Actions→Show Archived, a table with the archived entities is visible. Here the end entities can be selected. Through Actions→Delete all selected they can be deleted. Furthermore, the user can delete one End Entity at a time by pressing the row actions button and then Delete End Entity. Finally, in the Choose entity to delete dropdown menu, the user can select End Entities. As an extra safeguard there is the option to restrict archived records to be deleted, using the date on which they were archived as filter. In the Choose date calendar, the user can select the date, to filer archived records prior to this date. Those can be deleted by selecting Delete. Upon deletion, all archived certificates, certificate requests and all end entity passwords linked to the deleted end entities will also be deleted.