diff --git a/app/models/admin_user.rb b/app/models/admin_user.rb
new file mode 100644
index 000000000..f45ab39ff
--- /dev/null
+++ b/app/models/admin_user.rb
@@ -0,0 +1,32 @@
+class AdminUser < User
+  devise :trackable, :timeoutable
+  # TODO: Foreign user will get email with activation link,email,temp-password.
+  # After activisation, system should require to change temp password.
+  # TODO: Estonian id validation
+
+  validates :username, :password, :country_code, presence: true
+  validates :identity_code, uniqueness: true, allow_blank: true
+  validates :identity_code, presence: true, if: -> { country_code == 'EE' }
+  validates :email, presence: true, if: -> { country_code != 'EE' }
+
+  validate :validate_identity_code
+  belongs_to :country_deprecated, foreign_key: :country_id
+
+  ROLES = %w(user customer_service admin)
+
+  def to_s
+    username
+  end
+
+  def country
+    Country.new(country_code)
+  end
+
+  private
+
+  def validate_identity_code
+    return unless identity_code.present?
+    code = Isikukood.new(identity_code)
+    errors.add(:identity_code, :invalid) unless code.valid?
+  end
+end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 248c648d5..fe0368125 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -1,8 +1,7 @@
 require 'open3'
 
 # rubocop: disable Metrics/ClassLength
-class ApiUser < ActiveRecord::Base
-  include Versions # version/api_user_version.rb
+class ApiUser < User
   # TODO: should have max request limit per day
   belongs_to :registrar
   has_many :contacts
diff --git a/app/models/api_user_deprecated.rb b/app/models/api_user_deprecated.rb
new file mode 100644
index 000000000..f44719fbb
--- /dev/null
+++ b/app/models/api_user_deprecated.rb
@@ -0,0 +1,52 @@
+require 'open3'
+
+# rubocop: disable Metrics/ClassLength
+class ApiUserDeprecated < ActiveRecord::Base
+  self.table_name = "api_users"
+  # TODO: should have max request limit per day
+  belongs_to :registrar
+  has_many :contacts
+
+  validates :username, :password, :registrar, presence: true
+  validates :username, uniqueness: true
+
+  before_save :create_crt, if: -> (au) { au.csr_changed? }
+
+  attr_accessor :registrar_typeahead
+
+  def registrar_typeahead
+    @registrar_typeahead || registrar || nil
+  end
+
+  def to_s
+    username
+  end
+
+  def queued_messages
+    registrar.messages.queued
+  end
+
+  def create_crt
+    csr_file = Tempfile.new('client_csr')
+    csr_file.write(csr)
+    csr_file.rewind
+
+    crt_file = Tempfile.new('client_crt')
+    _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \
+    -cert #{APP_CONFIG['ca_cert_path']} \
+    -extensions usr_cert -notext -md sha256 \
+    -in #{csr_file.path} -out #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch")
+
+    if err.match(/Data Base Updated/)
+      crt_file.rewind
+      self.crt = crt_file.read
+      return true
+    else
+      errors.add(:base, I18n.t('failed_to_create_certificate'))
+      logger.error('FAILED TO CREATE CLIENT CERTIFICATE')
+      logger.error(err)
+      return false
+    end
+  end
+end
+# rubocop: enable Metrics/ClassLength
diff --git a/app/models/user.rb b/app/models/user.rb
index 0344fea48..e8179b538 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,35 +1,3 @@
 class User < ActiveRecord::Base
   include Versions # version/user_version.rb
-  # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
-  devise :trackable, :timeoutable
-  # TODO: Foreign user will get email with activation link,email,temp-password.
-  # After activisation, system should require to change temp password.
-  # TODO: Estonian id validation
-
-  validates :username, :password, :country_code, presence: true
-  validates :identity_code, uniqueness: true, allow_blank: true
-  validates :identity_code, presence: true, if: -> { country_code == 'EE' }
-  validates :email, presence: true, if: -> { country_code != 'EE' }
-
-  validate :validate_identity_code
-  belongs_to :country_deprecated, foreign_key: :country_id
-
-  ROLES = %w(user customer_service admin)
-
-  def to_s
-    username
-  end
-
-  def country
-    Country.new(country_code)
-  end
-
-  private
-
-  def validate_identity_code
-    return unless identity_code.present?
-    code = Isikukood.new(identity_code)
-    errors.add(:identity_code, :invalid) unless code.valid?
-  end
 end
diff --git a/db/migrate/20150213104014_merge_api_user_and_user.rb b/db/migrate/20150213104014_merge_api_user_and_user.rb
new file mode 100644
index 000000000..dcccf1e11
--- /dev/null
+++ b/db/migrate/20150213104014_merge_api_user_and_user.rb
@@ -0,0 +1,21 @@
+class MergeApiUserAndUser < ActiveRecord::Migration
+  def change
+    add_column :users, :registrar_id, :integer
+    add_column :users, :active, :boolean, default: false
+    add_column :users, :csr, :text
+    add_column :users, :crt, :text
+    add_column :users, :type, :string
+
+    User.all.each do |x|
+      x.type = 'AdminUser'
+      x.save
+    end
+
+    ApiUserDeprecated.all.each do |x|
+      attrs = x.attributes
+      attrs.delete('id')
+      ApiUser.skip_callback(:save, :before, :create_crt)
+      ApiUser.create!(attrs)
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 26b58e3f9..614fe9ae6 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150203135303) do
+ActiveRecord::Schema.define(version: 20150213104014) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -614,17 +614,22 @@ ActiveRecord::Schema.define(version: 20150203135303) do
     t.datetime "created_at"
     t.datetime "updated_at"
     t.string   "email"
-    t.integer  "sign_in_count",      default: 0, null: false
+    t.integer  "sign_in_count",      default: 0,     null: false
     t.datetime "current_sign_in_at"
     t.datetime "last_sign_in_at"
     t.inet     "current_sign_in_ip"
     t.inet     "last_sign_in_ip"
     t.string   "identity_code"
     t.integer  "country_id"
-    t.string   "roles",                                       array: true
+    t.string   "roles",                                           array: true
     t.string   "creator_str"
     t.string   "updator_str"
     t.string   "country_code"
+    t.integer  "registrar_id"
+    t.boolean  "active",             default: false
+    t.text     "csr"
+    t.text     "crt"
+    t.string   "type"
   end
 
   create_table "versions", force: :cascade do |t|