Django app providing a Certificate Authority
[!NOTE] django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.
[!NOTE] Docker Compose users: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
Django~=5.0
, cryptography~=42
, acme==2.8.0
and acme==2.9.0
.pydantic>=2.5
is now a required dependency.CA_FILE_STORAGE
and CA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0
. Installations as Django app must add a "django-ca"
storage alias in their configuration.--sign-ca-issuer
, --sign-ocsp-responder
and --sign-issuer-alternative-name
options to manage.py sign_cert
etc. now support any general name type and giving multiple general names.--sign-crl-distribution-points-critical
.manage.py sign_cert
--cn-in-san
option was removed.This version adds support for "key backends", allowing you to store and use private keys in different places, for example the file system or a Hardware Security Module (HSM). At present, the only backend available uses the Django file storage API, usually storing private keys on the file system.
Future versions will add support for other ways to handle private keys, including HSMs.
[!NOTE] The REST API is still experimental and endpoints will change without notice.
The update to django-ninja 1.1 and Pydantic brings a general update on how extensions are represented. Any code using the API will have to be updated.
django-ninja==1.1.0
, including a full migration to Pydantic 2.type
parameter indicating the extension type.Django~=3.2
, acme==1.26.0
and Alpine~=3.16
.django_ca.extensions.serialize_extension()
is removed and replaced by Pydantic serialization.cryptography~=41.0
, acme~=2.7.0
and acme~=2.8.0
.django_ca.extensions.parse_extension()
is deprecated and should not longer be used. Use Pydantic models instead.manage.py convert_timestamps
command will be removed in django-ca==2.0
.CA_FILE_STORAGE
and CA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0
.NOTE: django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.
--subject-format=rfc4514
option. This format will become the default in django-ca 2.0.--issuer-url
, --issuer-alt-name
, --crl-url
and --ocsp-url
options for manage.py init_ca
, manage.py edit_ca
and manage.py import_ca
in favor of --sign-ca-issuer
, --sign-issuer-alternative-name
, --sign-crl-full-name
and --sign-ocsp-responder
.Django==4.1
, cryptography==40.x
, acme==1.25.0
and celery==5.2.x
.NOTE: The REST API is still experimental and endpoints will change without notice.
--enable-api
flag for manage.py init_ca
, manage.py edit_ca
and manage.py import_ca
.POSTGRES_
configuration environment variables when using the default PostgreSQL backend. It previously only worked for an old, outdated alias name.django_ca/
prefix).False
.ECC
and EdDSA
as key types (e.g when using :command:manage.py init_ca
) was removed. Use EC
and Ed25519
instead. The old names where deprecated since 1.23.0.--pathlen
and --no-pathlen
options for manage.py init_ca
in favor of --path-length
and -no-path-length
. The old options where deprecated since 1.24.0.--key-usage
, --extended-key-usage
and --tls-feature
command-line options was removed. The old format was deprecated since 1.24.0.psycopg3
for using Psycopg 3. This extra will be removed once support for Django 3.2 is removed. Psycopg 3 will be required in the postgres
extra from then on.manage.py import_ca
.manage.py init_ca
and manage.py edit_ca
are renamed. See the update notes for more information.CA_DIGEST_ALGORITHM
setting was removed. Use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead.CA_DEFAULT_ECC_CURVE
setting was removed. Use CA_DEFAULT_ELLIPTIC_CURVE instead.--algorithm
argument was removed.--elliptic-curve
argument was removed.--ecc-curve
for --elliptic-curve
was removed.manage.py init_ca
and manage.py edit_ca
are renamed, old options will be removed in django-ca 1.27.0. See the update notes for more information.True
in the Django project. See Switch to USE_TZ=True by default for update information.USE_TZ=True
. See Switch to USE_TZ=True by default for update information.manage.py resign_cert
.Continuing the standardization effort started in 1.23.0, some options have been replaced and/or use a different syntax. See the update notes for more detailed instructions.
--pathlen
and --no-pathlen
parameters for manage.py init_ca
were renamed to --path-length
and --no-path-length
.--key-usage
option was changed to/split into --key-usage
and --key-usage-non-critical
. --key-usage
takes multiple option values instead of a single coma-separated list.--ext-key-usage
option was changed to/split into --extended-key-usage
and --extended-key-usage-critical
. --extended-key-usage
takes multiple option values instead of a single coma-separated list.--tls-feature
option was changed to/split into --tls-feature
and --tls-feature-critical
. --tls-feature
takes multiple option values instead of a single coma-separated list.manage.py init_ca
.manage.py init_ca
.manage.py sign_cert
or manage.py resign_cert
.manage.py revoke_cert
.--ext-key-usage
flag to manage.py sign_cert
was replaced with --extended-key-usage
.pre_issue_cert
was removed. Use the pre_sign_cert signal instead.Removed in django-ca==1.25.0
:
CA_DIGEST_ALGORITHM
setting, use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM
instead.CA_DEFAULT_ECC_CURVE
setting, use CA_DEFAULT_ELLIPTIC_CURVE
instead.sha512
, use SHA-512
instead).SECP384R1
, use secp384r1
instead).Removed in django-ca==1.26.0
:
cryptography==39
and acme==2.4.0
(other versions may removed depending on release time).ECC
and EdDSA
as key type. Use EC
and Ed25519
instead.--pathlen
and --no-pathlen
parameters to manage.py init_ca
will be removed. Use --path-length
and --no-path-length
instead.--key-usage
, --extended-key-usage
and --tls-feature
. Use lists instead (e.g. --key-usage keyAgreement keyEncipherment
instead of --key usagekeyAgreement,keyEncipherment
.status_request
and status_request_v2
instead.built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>
_ in the docker compose setup.Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.
Limitations:
Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.
Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.
Because the the user can now modify the extensions directly, the add_*
directives for a profile now have no effect when issuing a certificate through the admin interface.
termsOfService
field during registration.python:3.11-alpine3.17
.--ca-crl
parameter in manage.py dump_crl
(this was a left over and has been marked as deprecated since 1.12.0).django-redis-cache
from the redis
extra, as the project is abandoned. Please switch to the built in redis cache instead. If you still use Django 3.2, please manually install the backend.ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION
was removed, use the identical ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC
instead.acme
extra will be removed in in the next release.pre_issue_cert
is deprecated and will be removed in django_ca==1.24.0
. Use the new pre_sign_cert signal instead.django_ca.subject.Subject
is deprecated and will be removed in django-ca==1.24.0
.django_ca.extensions
are deprecated and will be removed in django_ca==1.24.0
.acme
extra is now empty (and will be removed in django-ca==1.23.0
).dict
will be removed in django-ca==1.23.0
.SECRET_KEY
setting when using docker and docker-compose.acme
extra will be removed in django-ca==1.23.0
.CA_DEFAULT_SUBJECT
setting will be removed in django-ca==1.23.0
.WARNING docker-compose users: Update from 1.18 or earlier? See the update notes or you might loose private keys!
django_ca.utils.shlex_split()
was renamed to django_ca.utils.split_str
. The old name will be removed in django_ca==1.22
.pytz
as dependency (and use datetime.timezone
directly).--bundle
option to manage.py sign_cert
to allow writing the whole certificate bundle.ACMEv2 support will be included and enabled by default starting with django-ca==1.22
. You will still have
to enable the ACMEv2 interface for each CA that should provide one. The documentation has been updated to
assume that you want enable ACMEv2 support.
settings.USE_TZ=True
(fixes #82).manage.py dump_ocsp_index
command.--csr-format
parameter to manage.py sign_cert
(deprecated since 1.18.0).django_ca.utils.parse_csr()
has been removed (deprecated since 1.18.0).WARNING: docker-compose users: See the update notes or you might loose private keys!
dnQualifier
, PC
, DC
, title
, uid
and serialNumber
.issuer
always matches the subject
from the CA that signed it.manage.py regenerate_ocsp_key
with celery enabled.UTF8
strings where not DER encoded.EdDSA
keys.python:3.10-alpine3.14
.html-check
target for documentation generation.idna<=3.1
.issuer_name
field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.