end entity

A system entity that is the subject of a public key certificate and that is using, or is permitted and able to use, the matching private key only for purposes other than signing a digital certificate; i.e., an entity that is not a CA.

"A certificate subject [that] uses its public [sic] key for purposes other than signing certificates." [X509] Deprecated Definition: IDOCs SHOULD NOT use definition 2, which is misleading and incomplete. First, that definition should have said "private key" rather than "public key" because certificates are not usefully signed with a public key. Second, the X.509 definition is ambiguous regarding whether an end entity may or may not use the private key to sign a certificate, i.e., whether the subject may be a CA. The intent of X.509's authors was that an end entity certificate is not valid for use in verifying a signature on an X.509 certificate or X.509 CRL. Thus, it would have been better for the X.509 definition to have said "only for purposes other than signing certificates". Usage: Despite the problems in the X.509 definition, the term itself is useful in describing applications of asymmetric cryptography. The way the term is used in X.509 implies that it was meant to be defined, as we have done here, relative to roles that an entity (which is associated with an OSI end system) is playing or is permitted to play in applications of asymmetric cryptography other than the PKI that supports applications. Tutorial: Whether a subject can play both CA and non CA roles, with either the same or different certificates, is a matter of policy. (See: CPS.) A v3 X.509 public key certificate may have a "basicConstraints" extension containing a "cA" value that specifically "indicates whether or not the public key may be used to verify certificate signatures". (See: certificate profile.)