• Use Alpine 3.13 and Python 3.9 in the Docker image.
• Include templates in installations via pip (fixes #72).

• Add support for Django 3.2.
• Prevent auto-completion of the CA password field in the admin interface.
• Improve CSR validation when using the admin interface.
• Check permissions when resigning certificates.
• Require the change certificate permission when revoking certificates.
• Preselect profile of original certificate when resigning certificates.
• Make sure that operators for OrderedSetExtension always return an instance of the implementing class, not of the base class.
• Certificate bundles now always end with a newline, as normal bundles do.
• Add setuptools extras for mysql and postgres.
• Add MySQL support for the Docker image.

Backwards incompatible changes

• Don't load configuration from localsettings.py (deprecated since 1.15.0).
• The x509 property and dump_certificate() where removed from CertificateAuthority and Certificate:
  • To access a string-encoded PEM use obj.pub.pem (was: obj.x509).
  • To update an instance with a certificate use update_certificate (was: obj.x509 = ...).
  • Use obj.pub.pem or obj.pub.der to get an encoded certificate (was: obj.dump_certificate()).
• Drop support for Django 3.0.
• Drop support for cryptography 2.8 and 2.9.
• Drop support for Celery 4.3 and 4.4.
• Drop support for idna 2.9.

Python API

• Store certificates and CSRs as bytes to improve access speed.

Linting and continuous integration

• Use GitHub Actions instead of Travis.
• Use pyproject.toml for all tools that support it.
• Code is now formatted with black.
• Code is now linted using pylint.
• Code is now fully type-hinted and type safe according to mypy. This requires the upcoming release of cryptography (current: 3.4).
• Documentation is now cleaned with doc8.
• Documentation is now spell-checked using sphinxcontrib.spelling.

Deprecation notices

• This is the last release to support cryptography 3.0, 3.1 and 3.2.
• Passing a str or bytes to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.
• Passing a str as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.
• django_ca.utils.parse_csr() is no longer useful and will be removed in django-ca 1.20.0.
• Creating an index for running an OCSP responder with openssl-ocsp(1SSL) is deprecated and will be removed in django-ca 1.20.0. The man page explicitly states it "is only useful for test and demonstration purposes", and we can solidly run our own responders by now.

• Update for compatibility with cryptography 3.4.
• Add support for Alpine 3.13.
• Due to cryptography requiring a relatively new version of Rust, support for Alpine<3.12 is dropped.

• Bugfix release for 1.17.0 to address packaging issues for wheels (when installed with pip install).
• Include acme submodule (fixes #67).
• Relax dependencies for josepy (fixes #68).
• Add tests in Dockerfile to make sure that these issues cannot happen again.

• New CA_DEFAUT_CA setting to consistently configure the CA used by default.
• Fix the --issuer-alt-name option for the init_ca/edit_ca management commands.
• Correctly handle IDNA domain names in URLs and certificates.
• Preliminary ACMEv2 support (disabled by default).
• CAs have new fields caa_identity, website and terms_of_service, which are used by ACME.
• Add support for Python 3.9.
• Add support for cryptography 3.1, 3.2 and 3.3.
• Start linting code with pylint.
• Secure CSRF and session cookies using Djangos SESSION_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and CSRF_COOKIE_SECURE settings.

Docker (Compose)

• Add thorough Quickstart with docker-compose.
• Collect static files on startup instead of during build. The latter causes problems with image updates.
• Make manage.py available as the manage shortcut.
• Add several security related headers to the admin interface (CSP, etc).
• Include a template for a complete TLS configuration.

Backwards incompatible changes

• Drop support for Python 3.5.
• Drop support for cryptography 2.7.
• Drop support for Celery 4.2.
• Drop support for idna 2.8.

Deprecation notices

• This is the last release to support Celery 4.3 and 4.4.
• This is the last release to support cryptography 2.8 and 2.9.
• This is the last release to support Django 3.0 (2.2 LTS will still be supported).
• This is the last release to support idna 2.9.
• This is the last release to support Alpine 3.10.

• This is a bugfix release for 1.16.0 that mostly addresses CRL validation issues.
• Add support for cryptography 3.1.
• Fix OCSP, Issuer and CRL URLs for intermediate CAs that are not a direct child of a root CA.
• Fix AuthorityKeyIdentifier in CRLs for intermediate CAs (see #65).
• Properly handle CommonNames which are not parseable as SubjectAlternativeName in admin interface (see #62).
• Minor documentation updates (see #63)
• Fix error in manage.py notify_expiring_certs in non-timezone aware setups.
• Override terminal size when running test cases, otherwise the output of argparse depends on the terminal size, leading to test failures on large terminals.

• Add support for cryptography 2.9 and 3.0.
• Add support for Django 3.1.
• The docker image is now based on Alpine Linux 3.12.
• Update redis to version 6 and nginx version 18 when using docker-compose
• Finally update Sphinx since numpydoc#215 is finally fixed.
• The profile used to generate the certificate is now stored in the database.
• It is no longer optional to select a profile in the admin interface when creating a certificate.
• Certificates have a new autogenerated boolean flag, which is True for automatically generated OCSP certificates.
• The admin interface will list only valid and non-autogenerated certificates by default.

Backwards incompatible changes

• Drop support for Django 1.11 and 2.1.
• Drop support for Celery 4.0 and 4.1.
• Drop support for OpenSSL 1.1.0f and earlier. This affects Debian oldoldstable (jessie), Ubuntu 16.04 and Alpine 3.8.
• Certificate.objects.init() and profiles.get_cert_profile_kwargs() were removed. Use Certificate.objects.create_cert() instead.

Deprecation notices

• This is the last release to support Python 3.5.
• This is the last release to support cryptography 2.7.
• This is the last release to support Celery 4.2.
• This is the last release to support idna 2.8.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.

• Add support for Django 3.0.
• The docker image is now based on Alpine Linux 3.11.
• The default project now supports configuring django-ca using YAML configuration files. Configuration using localsettings.py is now deprecated and will be removed in django-ca>=1.18.0.
• Start supporting Celery tasks to allow running tasks in a distributed, asynchronous task queue. Some tasks will automatically be run with Celery if it is enabled. Celery is used automatically if installed, but can always be disabled by setting CA_USE_CELERY=False.
• Drop dependency six (since we no longer support Python 2.7).
• Allow caching of CRLs via manage.py cache_crls.
• The manage.py init_ca command will now automatically cache CRLs and generate OCSP keys for the new CA.
• Support POSTGRES_* and MYSQL_* environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.
• There now are setuptools extras for redis and celery, so you can install all required dependencies at once.
• Add CA_PASSWORDS setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.
• Add CA_CRL_PROFILES setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.
• django_ca.extensions.AuthorityKeyIdentifier now also supports issuers and serials.
• django_ca.utils.parse_general_name() now returns a cryptography.x509.GeneralName unchanged, but throws an error if the name isn't a str otherwise.
• New class django_ca.utils.GeneralNameList for extensions that store a list of general names.
• Add support for the django_ca.extensions.FreshestCRL extension.
• Store CA private keys in the ca/ subdirectory by default, the directory can be configured using manage.py init_ca --path=....

Backwards incompatible changes

• Drop support for Python 2.7.
• Drop support for cryptography 2.5 and 2.6.
• Drop support for Alpine 3.8 (because PostgreSQL and MySQL depend on libressl).
• Removed the manage.py migrate_ca command. If you upgrade from before 1.12.0, upgrade to 1.14.0 first and update file storage.
• Removed the ca_crl setting in django_ca.views.CertificateRevocationListView, use scope instead.

Docker

• Add a docker-compose.yml file to quickly launch a complete service stack.
• Add support for Celery, MySQL, PostgreSQL and Redis.
• Change the working directory to /usr/src/django-ca/ca, so manage.py can now be invoked using python manage.py instead of python ca/manage.py.
• Add a Celery startup script (./celery.sh).
• Add a nginx configuration template at nginx/default.template.
• Static files are now included in a "collected" form, so they don't have to collected on startup.
• Generate OCSP keys and cache CRLs on startup.
• Use BuildKit to massively speed up the Docker image build.

Bugfixes

• Fix generation of CRLs and OCSP keys for CAs with a DSA private key.
• Fix storing an empty list of CRL URLs in some corner cases (when the function receives an empty list).
• Fix naming CAs via serial on the command line if the serial starts with a zero.
• Consistently style serials in a monospace font in admin interface.
• The ocsp profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.

Deprecation notices

• This is the last release to support Django 1.11 and 2.1.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• Certificate.objects.init() and django_ca.profiles.get_cert_profile_kwargs were deprecated in 1.14.0 and will be removed in django-ca==1.16.0. Use Certificate.objects.create_cert() instead.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.

• regenerate_ocsp_keys now has a quiet mode and only generates keys where the CA private key is available.
• Minor changes to make the release compatible with Django 3.0a1.
• Introduce a new, more flexible format for the The format of the CA_PROFILES setting. The new Profiles page provides more information and migration instructions
• New dependency: six, since Django 3.0 no longer includes it.
• New dependency: asn1crypto, since cryptography no longer depends on it.
• Serials are now zero-padded when output so that the last element always consists of two characters.
• More consistently output serials with colons, use a monospace font in the admin interface.
• Fix profile selection in the admin interface.
• Fix display of values from CSR in the admin interface.
• Add a copy-button next to values from the CSR to enable easy copy/paste from the CSR.
• Test suite now includes Selenium tests for all JavaScript functionality.
• dev.py coverage can now output a text summary using --format=text.

Backwards incompatible changes

• Drop support for cryptography 2.3 and 2.4.
• Drop support for idna 2.7.
• Extensions now always expect a dict or a cryptography extension as a value. Anything else was unused in practice.
• KeyUsage, ExtendedKeyUsage and TLSFeature now behave like an ordered set and support all operators that a set does.
• Running an OCSP responder using oscrypto/ocspbuilder is no longer supported.

Extensions

• KeyUsage is now marked as critical by default.
• ExtendedKeyUsage now supports the anyExtendedKeyUsage OID.

Deprecation notices

• This is the last release to support Python 2.7.
• This is the last release to support cryptography 2.5 and 2.6.
• This is the last release to be tested with Alpine 3.7.
• This is the last release to support updating CA private keys to the Filestorage API. python manage.py migrate_ca will be removed in the next release.
• This will be the last release to support the ca_crl setting in CertificateRevocationListView.
• Certificate.objects.init() has been deprecated in favor of Certificate.objects.create_cert(). The old method will be removed in django-ca==1.16.
• get_cert_profile_kwargs() was only used by init() and will thus also be removed in django-ca==1.16.
• The old format for CA_PROFILES will be supported until django-ca==1.16. Please see Update from django-ca<=1.13 for migration instructions.

• Add support for cryptography 2.7.
• Moved setup.py recreate_fixtures to recreate-fixtures.py.
• Moved all other extra setup.py commands to dev.py to remove clutter.
• Move fab init_demo to dev.py init-demo.
• Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography documentation also suggests OpenSSL.
• The Fabric file has been removed.
• Remove the CA_PROVIDE_GENERIC_CRL setting, the default URL configuration now includes it.
• The docker image is now based on Alpine Linux 3.10.
• BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.2.
• BACKWARDS INCOMPATIBLE: Drop support for idna 2.6.

Deprecation Notices

• This is the last release to support cryptography 2.3 and 2.4.
• This is the last release to support idna 2.7.
• This is the last release to support OCSP using oscrypto/ocspbuilder.
• CertificateRevocationListView.ca_cr is deprecated in favor of the scope parameter. If you have set ca_crl=True just set scope="ca" instead.
• A new more extendable format for the CA_PROFILES setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.

Extensions

• Implement the CRLDistributionPoints extension and CertificatePolicies extension.
• Add the ipsecEndSystem, ipsecTunnel and ipsecUser extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
• Extensions now consistently serialize to dictionaries.

Command-line interface

• The view_ca command will now display the full path to the private key, if possible.
• The migrate_ca command now has a --dry parameter and has a updated help texts.
• The new regenerate_ocsp_keys command allows you to automatically generate OCSP keys that are used by the new default OCSP views.

Python API

• Add the root property to CAs and certificates returning the root Certificate Authority.
• sign_cert() now also accepts a CertificateSigningRequest as csr value.
• Add the issuer_url, crl_url, ocsp_url and issuer_alternative_name parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions parameter.
• Add the get_crl() function to get a CRL for the CA.
• Add the generate_ocsp_key() function to generate OCSP keys that are automatically picked up by the generic OCSP views.
• Both CertificateAuthority and Certificate now have a root property pointing to the Root CA.

OCSP

• The CA_DEFAULT_HOSTNAME setting is now used to set generic OCSP urls by default.
• The dump_ocsp_index management command now excludes certificates expired for more then a day or are not yet valid.

CRLs

• Issued CRLs now confirm to RFC 5280:

  • Add the CRL Number extension.
  • Add the Authority Key Identifier extension.

• Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5.

• Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.

• CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).

• Expose an API for creating CRLs via CertificateAuthority.get_crl().