Django app providing a Certificate Authority
change certificate
permission when revoking certificates.mysql
and postgres
.localsettings.py
(deprecated since 1.15.0
).x509
property and dump_certificate()
where removed from CertificateAuthority and Certificate:
obj.pub.pem
(was: obj.x509
).obj.x509 = ...
).obj.pub.pem
or obj.pub.der
to get an encoded certificate (was: obj.dump_certificate()
).pyproject.toml
for all tools that support it.str
or bytes
to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.str
as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.--issuer-alt-name
option for the init_ca/edit_ca management commands.caa_identity
, website
and terms_of_service
, which are used by ACME.SESSION_COOKIE_SECURE
, CSRF_COOKIE_HTTPONLY
and CSRF_COOKIE_SECURE
settings.manage.py
available as the manage
shortcut.manage.py notify_expiring_certs
in non-timezone aware setups.redis
to version 6 and nginx version 18 when using docker-composeautogenerated
boolean flag, which is True
for automatically generated OCSP certificates.Certificate.objects.init()
and profiles.get_cert_profile_kwargs()
were removed. Use Certificate.objects.create_cert() instead.localsetttings.py
files in django-ca>=1.18.0
.CA_PROFILES
setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0
. Please see the migration instructions for what to change.localsettings.py
is now deprecated and will be removed in django-ca>=1.18.0
.CA_USE_CELERY=False
.six
(since we no longer support Python 2.7).manage.py cache_crls
.manage.py init_ca
command will now automatically cache CRLs and generate OCSP keys for the new CA.POSTGRES_*
and MYSQL_*
environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.redis
and celery
, so you can install all required dependencies at once.CA_PASSWORDS
setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.CA_CRL_PROFILES
setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.django_ca.extensions.AuthorityKeyIdentifier
now also supports issuers and serials.django_ca.utils.parse_general_name()
now returns a cryptography.x509.GeneralName
unchanged, but throws an error if the name isn't a str
otherwise.django_ca.utils.GeneralNameList
for extensions that store a list of general names.django_ca.extensions.FreshestCRL
extension.ca/
subdirectory by default, the directory can be configured using manage.py init_ca --path=...
.manage.py migrate_ca
command. If you upgrade from before 1.12.0, upgrade to 1.14.0 first and update file storage.ca_crl
setting in django_ca.views.CertificateRevocationListView
, use scope
instead./usr/src/django-ca/ca
, so manage.py can now be invoked using python manage.py
instead of python ca/manage.py
../celery.sh
).nginx/default.template
.ocsp
profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.localsetttings.py
files in django-ca>=1.18.0
.Certificate.objects.init()
and django_ca.profiles.get_cert_profile_kwargs
were deprecated in 1.14.0 and will be removed in django-ca==1.16.0
. Use Certificate.objects.create_cert()
instead.CA_PROFILES
setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0
. Please see the migration instructions for what to change.regenerate_ocsp_keys
now has a quiet mode and only generates keys where the CA private key is available.dev.py coverage
can now output a text summary using --format=text
.oscrypto
/ocspbuilder
is no longer supported.anyExtendedKeyUsage
OID.python manage.py migrate_ca
will be removed in the next release.ca_crl
setting in CertificateRevocationListView.django-ca==1.16
.django-ca==1.16
.CA_PROFILES
will be supported until django-ca==1.16
. Please see Update from django-ca<=1.13 for migration instructions.setup.py recreate_fixtures
to recreate-fixtures.py
.setup.py
commands to dev.py
to remove clutter.fab init_demo
to dev.py init-demo
.CA_PROVIDE_GENERIC_CRL
setting, the default URL configuration now includes it.oscrypto
/ocspbuilder
.CertificateRevocationListView.ca_cr
is deprecated in favor of the scope
parameter. If you have set ca_crl=True
just set scope="ca"
instead.ipsecEndSystem
, ipsecTunnel
and ipsecUser
extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.view_ca
command will now display the full path to the private key, if possible.migrate_ca
command now has a --dry
parameter and has a updated help texts.regenerate_ocsp_keys
command allows you to automatically generate OCSP keys that are used by the new default OCSP views.root
property to CAs and certificates returning the root Certificate Authority.csr
value.issuer_url
, crl_url
, ocsp_url
and issuer_alternative_name
parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions
parameter.root
property pointing to the Root CA.dump_ocsp_index
management command now excludes certificates expired for more then a day or are not yet valid.Issued CRLs now confirm to RFC 5280:
Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5
.
Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.
CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).
Expose an API for creating CRLs via CertificateAuthority.get_crl().