[!NOTE]
django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.

[!NOTE]
Docker Compose users: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.

Major changes

• Add support for Django~=5.0, cryptography~=42, acme==2.8.0 and acme==2.9.0.
• Docker Compose: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
• pydantic>=2.5 is now a required dependency.
• Preparations for support for using Hardware Security Modules, "Key backend support" below.
• The CA_FILE_STORAGE and CA_FILE_STORAGE_KWARGS settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0. Installations as Django app must add a "django-ca" storage alias in their configuration.
• The CA_PASSWORDS setting is now consistently used whenever required.
• Private keys (for CAs and OCSP responder certificates) are now stored as DER keys to improve loading speed.
• The admin interface now presents lists of general names (e.g. in the Subject Alternative Name extension) as a list of order-able key/value pairs when adding certificates.
• Extensions added by the CA when signing new certificates can now have the same complexity as when giving the extensions directly when signing the certificate:
  • The --sign-ca-issuer, --sign-ocsp-responder and --sign-issuer-alternative-name options to manage.py sign_cert etc. now support any general name type and giving multiple general names.
  • The CRL Distribution Points extension added to certificates may now be marked as critical via --sign-crl-distribution-points-critical.
  • When editing a CA, the admin interface presents these fields in the same way as when signing a
    certificate.
• Remove the option to add the Common Name to the Subject Alternative Name extension, as the result is unpredictable:
  • The manage.py sign_cert --cn-in-san option was removed.
  • The checkbox in the admin interface was removed.
  • The profile option no longer has any effect and issues a warning.
• Add Pydantic models for cryptography classes. These are required for the REST API, but are also used internally for various places where serialization of objects is required.
• Support for configuring absolute paths for OCSP responder certificates in manual OCSP views was removed. This was a left over, it was deprecated and issued a warning since 2019.
• Fixed bash shortcut if installing from source to allow spaces (fixes #123).

Key backend support

This version adds support for "key backends", allowing you to store and use private keys in different places,
for example the file system or a Hardware Security Module (HSM). At present, the only backend available uses
the Django file storage API, usually storing private keys on the file system.

Future versions will add support for other ways to handle private keys, including HSMs.

REST API changes

[!NOTE]
The REST API is still experimental and endpoints will change without notice.

The update to django-ninja 1.1 and Pydantic brings a general update on how extensions are represented. Any
code using the API will have to be updated.

• Update to django-ninja==1.1.0, including a full migration to Pydantic 2.
• The format of extensions now includes a type parameter indicating the extension type.
• Extension objects are now more in line with RFC 5280 and no longer use arbitrary abbreviations.
• Extensions are now represented as a list.
• General names are now represented as an object, instead of string that has to be parsed.

Backwards incompatible changes

• Docker Compose: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
• Drop support for Django~=3.2, acme==1.26.0 and Alpine~=3.16.
• django_ca.extensions.serialize_extension() is removed and replaced by Pydantic serialization.

Deprecation notices

• This is the last release to support Python 3.8, cryptography~=41.0, acme~=2.7.0 and acme~=2.8.0.
• The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
• Support for OpenSSL-style subjects will be removed in django-ca 2.2.
• django_ca.extensions.parse_extension() is deprecated and should not longer be used. Use Pydantic models instead.
• The manage.py convert_timestamps command will be removed in django-ca==2.0.
• The CA_FILE_STORAGE and CA_FILE_STORAGE_KWARGS settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0.

NOTE: django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see
RFC 4514 subjects for migration information.

• Add support for Python 3.12 and acme 2.7.0.
• Update the Docker image to use Alpine Linux 3.18 with Python 3.12.
• Add support for passing subjects in RFC 4514 format when creating certificate authorities and certificates via the --subject-format=rfc4514 option. This format will become the default in django-ca 2.0.
• Support for subjects in OpenSSL-style format when creating certificate authorities and certificates is deprecated and will issue a warning. Support for this format will be removed in django-ca 2.2.
• CA_DEFAULT_SUBJECT, subjects in profiles and CA_DEFAULT_NAME_ORDER now also support a dotted string to include arbitrary object identifiers.
• CA_DEFAULT_NAME_ORDER can now be configured in YAML files.
• Do not implicitly sort the subject of new certificate authorities according to CA_DEFAULT_NAME_ORDER. The user is expected to supply the correct order.
• When signing certificates via the command line, implicitly sort the subject only when the profile defines a subject and/or the CommonName is not given and added via the SubjectAlternativeName extension. If neither is the case, the user is expected to supply the correct order.

Backwards incompatible changes

• Removed support for the old --issuer-url, --issuer-alt-name, --crl-url and --ocsp-url options for manage.py init_ca, manage.py edit_ca and manage.py import_ca in favor of --sign-ca-issuer, --sign-issuer-alternative-name, --sign-crl-full-name and --sign-ocsp-responder.
• Support for non-standard algorithm names in profile settings was removed.
• Drop support for Django==4.1, cryptography==40.x, acme==1.25.0 and celery==5.2.x.

Deprecation notices

• The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
• Support for OpenSSL-style subjects will be removed in django-ca 2.2.
• This is the last release to support Django 3.2.
• This is the last release to support acme 2.6.0.
• This is the last release to support Alpine 3.16.

REST API changes

NOTE: The REST API is still experimental and endpoints will change without notice.

• Certificate issuance is now asynchronous, similar to how certificates are issued via ACME. This enables using CAs where the private key is not directly available to the web server.
• The REST API must now be enabled explicitly for each certificate authority. This can be done via the admin interface or the --enable-api flag for manage.py init_ca, manage.py edit_ca and manage.py import_ca.

• Add experimental support for a REST API (fixes #107).
• Add support for configuring certificate authorities to automatically include a Certificate Policy extension when signing certificates.
• Add support for configuring how long automatically generated OCSP responder certificates are valid.
• Add support for configuring how long OCSP responses of the automatically configured OCSP responder will be valid (fixes #102).
• The web interface now allows creating certificates with arbitrary or even empty subjects (fixes #77).
• The certificate subject is now displayed as a unambiguous list instead of a string. The issuer is now also shown in the same way.
• Fix NGINX configuration updates when using Docker Compose. The previous setup did not update configuration on update if parts of it changed.
• Fix POSTGRES_ configuration environment variables when using the default PostgreSQL backend. It previously only worked for an old, outdated alias name.
• The root URL path can now be configured via the CA_URL_PATH setting. This allows you to use shorter URLs (that is, without the django_ca/ prefix).
• The admin interface can now be disabled by setting the new ENABLE_ADMIN setting to False.

Backwards incompatible changes

• Drop support for cryptography 37 and cryptography 39, acme 2.4.0 and celery 5.1.
• Passing ECC and EdDSA as key types (e.g when using :command:manage.py init_ca) was removed. Use EC and Ed25519 instead. The old names where deprecated since 1.23.0.
• Removed support for the old --pathlen and --no-pathlen options for manage.py init_ca in favor of --path-length and -no-path-length. The old options where deprecated since 1.24.0.
• Using comma-separated lists for the --key-usage, --extended-key-usage and --tls-feature command-line options was removed. The old format was deprecated since 1.24.0.
• Remove support for HTTP Public Key Pinning, as it is obsolete.

Deprecation notices

• This is the last release to support Django 4.1.
• This is the last release to support cryptography 40.
• This is the last release to support acme 2.5.0.
• This is the last release to support celery 5.2.

• Add support for cryptography 41, acme 2.6.0 and celery 5.3.
• Update the Docker image to use Alpine Linux 3.18.
• Add support for adding the Certificate Policy and Issuer Alternative Name extensions when creating certificate authorities or end-entity certificates via the command-line.
• Add support for adding the Extended Key Usage, Issuer Alternative Name and Subject Alternative Name extensions when creating certificate authorities.
• Add support for overriding the Authority Information Access, CRL Distribution Points and OCSP No Check extensions when creating end-entity certificates via the command-line.
• Add support for string formatting operations on URL paths (see String formatting in URIs) in Authority Information Access and CRL Distribution Point extensions.
• Add a temporary pip extra psycopg3 for using Psycopg 3. This extra will be removed once support for Django 3.2 is removed. Psycopg 3 will be required in the postgres extra from then on.
• Fix import parameters to manage.py import_ca.
• Further standardizing the command-line interface, some options for manage.py init_ca and manage.py edit_ca are renamed. See the update notes for more information.

Backwards incompatible changes

• Drop support for acme 2.3.0 and cryptography 38.
• The CA_DIGEST_ALGORITHM setting was removed. Use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead.
• The CA_DEFAULT_ECC_CURVE setting was removed. Use CA_DEFAULT_ELLIPTIC_CURVE instead.
• Support for non-standard algorithm names for the --algorithm argument was removed.
• Support for non-standard elliptic curve names via the --elliptic-curve argument was removed.
• Support for custom signature hash algorithms in CRLs was removed. The algorithm used for signing the certificate authority is now always used.
• The old alias --ecc-curve for --elliptic-curve was removed.

Deprecation notices

• This is the last release to support cryptography 37 and cryptography 39.
• This is the last release to support acme 2.4.0.
• This is the last release to support celery 5.1.
• Support for non-standard algorithm names in profile settings will be removed in django-ca 1.27.0.
• Several options manage.py init_ca and manage.py edit_ca are renamed, old options will be removed in django-ca 1.27.0. See the update notes for more information.

Warnings

• Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography version 38.
• docker or source users that do not use PostgreSQL: The USE_TZ setting was switched to True in the Django project. See Switch to USE_TZ=True by default for update information.

General changes

• Add support for cryptography 40.0, django 4.2 and acme 2.4.0 and 2.5.0.
• Use Django's timezone support by default by enabling USE_TZ=True. See Switch to USE_TZ=True by default for update information.
• Make the default order of subjects configurable via CA_DEFAULT_NAME_ORDER.
• Certificates for OCSP responders now include the OCSPNoCheck extension by default.
• Certificates for OCSP responders now use a commonName designating the certificate as OCSP responder as subject, other fields from the CAs subject are discarded.
• A profile can now ignore CA_DEFAULT_SUBJECT by setting subject to False.
• Copy all extensions when using manage.py resign_cert.
• Add support for multiple OCSP responder and CA Issuer entries when creating a certificate authority.
• Add typehints when installing as wheel.

Command-line interface

Continuing the standardization effort started in 1.23.0, some options have been replaced and/or use a
different syntax. See the update notes for more detailed instructions.

• The --pathlen and --no-pathlen parameters for manage.py init_ca were renamed to --path-length and --no-path-length.
• The --key-usage option was changed to/split into --key-usage and --key-usage-non-critical. --key-usage takes multiple option values instead of a single coma-separated list.
• The --ext-key-usage option was changed to/split into --extended-key-usage and --extended-key-usage-critical. --extended-key-usage takes multiple option values instead of a single coma-separated list.
• The --tls-feature option was changed to/split into --tls-feature and --tls-feature-critical. --tls-feature takes multiple option values instead of a single coma-separated list.
• Add support for specifying a custom Key Usage extension when using manage.py init_ca.
• Add support for adding the Inhibit anyPolicy, Policy Constraints and TLS feature extensions when using manage.py init_ca.
• Add support for adding the OCSP No Check extension in when issuing certificates with manage.py sign_cert or manage.py resign_cert.
• Add support for specifying a date when the certificate was compromised when revoking a certificate with manage.py revoke_cert.

Backwards incompatible changes

• The --ext-key-usage flag to manage.py sign_cert was replaced with --extended-key-usage.
• The critical flag for the Key Usage, Extended Key Usage and TLS Feature is now set with dedicated options, with the recommended value being the default. See above and the update notes for details.
• The pre_issue_cert was removed. Use the pre_sign_cert signal instead.

Deprecation notices

Removed in django-ca==1.25.0:

• This is the last release to support acme 2.3.0 and cryptography 38 (cryptography 37 is still supported, see Warning: cryptography version 38).
• Support for the CA_DIGEST_ALGORITHM setting, use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead.
• Support for the CA_DEFAULT_ECC_CURVE setting, use CA_DEFAULT_ELLIPTIC_CURVE instead.
• Support for non-standard algorithm names (e.g. sha512, use SHA-512 instead).
• Support for non-standard elliptic key curve names (e.g. SECP384R1, use secp384r1 instead).

Removed in django-ca==1.26.0:

• Support for cryptography==39 and acme==2.4.0 (other versions may removed depending on release time).
• Support for using ECC and EdDSA as key type. Use EC and Ed25519 instead.
• The --pathlen and --no-pathlen parameters to manage.py init_ca will be removed. Use --path-length and --no-path-length instead.
• Support for coma-separated lists in --key-usage, --extended-key-usage and --tls-feature. Use lists instead (e.g. --key-usage keyAgreement keyEncipherment instead of --key usagekeyAgreement,keyEncipherment.
• Support for non-standard TLS feature names "OCSPMustStaple" and "MultipleCertStatusRequest". Use status_request and status_request_v2 instead.

WARNING

1. docker compose users: Update from 1.20 or earlier? See the update notes to switch to named volumes.
2. Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography 38.

Changes

• Add support for Python 3.11, Alpine 3.17, Django 4.1, cryptography 38.0 and acme 2.0.
• Support for MD5 and SHA1 hashes is removed, as they are no longer supported in upcoming releases of cryptography.
• New signals pre_sign_cert and post_sign_cert that receive the values as passed to the cryptography library.
• Add the ability to force inclusion/exclusion of the IssuingDistributionPoint extension in CRLs.
• Ensure that CRLs are regenerated periodically before the cache expires.
• Switch to the Djangos built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>_ in the docker compose setup.

Admin interface

• Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.

  Limitations:

  • The CRL Distribution Points and Freshest CRL extensions can only modify the first distribution point. If the selected profile defines more then one distribution point, they are added after the one from the admin interface.
  • The Certificate Policies extension cannot yet be modified. If the selected profile defines this extension, it is still added to the certificate.

• Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.

• Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.

• Because the the user can now modify the extensions directly, the add_* directives for a profile now have no effect when issuing a certificate through the admin interface.

ACMEv2 support

• Handle clients that do not send the termsOfService field during registration.
• Improve error handling when the CSR cannot be parsed.
• An ACME account is now considered usable if it never agreed to the terms of service and the certificate authority does not define any terms of service. Certain versions of certbot (at least version 1.31.0) never ask the user to agree to the terms of service if there are none to agree to.
• Allow clients to agree to the terms of service when updating the account.

Minor changes

• The Docker image is now based on python:3.11-alpine3.17.
• Access Descriptions in the Authority Information Access extension will now always order OCSP URLs before CA Issuers, inverting the previous behavior. The order of values does not matter in practice.

Backwards incompatible changes

• The docker-compose setup requires at least docker-compose 1.27.0.
• The docker-compose setup now uses Redis 7.
• Drop support for cryptography 35.0.
• Drop support for acme 1.23, 1.24, 1.25 and 1.26.
• Drop support for Celery 5.0.
• Require django-object-actions 4.0 or higher.
• Remove the --ca-crl parameter in manage.py dump_crl (this was a left over and has been marked as deprecated since 1.12.0).
• Drop django-redis-cache from the redis extra, as the project is abandoned. Please switch to the built in redis cache instead. If you still use Django 3.2, please manually install the backend.
• ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION was removed, use the identical ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC instead.

Deprecation notices

• This is the last release to support for Python 3.7.
• This is the last release to support Django 4.0.
• This is the last release to support cryptography 36.0.
• This is the last release to support acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.
• This is the last release to support Alpine 3.14 and 3.15.
• The acme extra will be removed in in the next release.
• The pre_issue_cert is deprecated and will be removed in django_ca==1.24.0. Use the new pre_sign_cert signal instead.
• The subject wrapper class django_ca.subject.Subject is deprecated and will be removed in django-ca==1.24.0.
• Extension wrapper classes in django_ca.extensions are deprecated and will be removed in django_ca==1.24.0.

WARNING docker-compose users

• Update from 1.18 or earlier? See the update notes or you might loose private keys!
• Update from 1.20 or earlier? See the update notes to switch to named volumes.

Updates

• Add support for cryptography 37.0 and Alpine Linux 3.16.
• Fix issuing certificates with multiple SubjectAlternativeNames (fixes #86).
• Fix overriding the default certificate expiry in profiles (fixes #87).
• Dependencies for ACMEv2 are now non-optional and the acme extra is now empty (and will be removed in django-ca==1.23.0).
• Implement certificate revocation via ACMEv2.
• The CA_DEFAULT_SUBJECT setting should now be a tuple, not a dict. Support for using a dict will be removed in django-ca==1.23.0.
• Add deployment checks (and document them in the quickstart guides) for configurations that don't use a shared cache subsystem (see also: #85).
• Fix generation of the SECRET_KEY setting when using docker and docker-compose.
• Document supported environment variables and improve general settings configuration in Settings.
• Switch to named volumes in the docker-compose setup. Please see Update from 1.20.0 or earlier for update instructions.
• Stop testing individual versions of idna. django-ca uses a minimal subset of basic functions that are unlikely to break.

Backwards incompatible changes

• Drop support for Django 2.2.
• Drop support for cryptography 3.3 and 3.4.
• Drop support for Alpine 3.12 and 3.13.

Deprecation notices

• The acme extra will be removed in django-ca==1.23.0.
• Support for using a dict for the CA_DEFAULT_SUBJECT setting will be removed in django-ca==1.23.0.
• This is the last release to support cryptography 35.0.
• This is the last release to support Celery 5.0 (5.1+ is of course still supported).
• This is the last release to support acme 1.23, 1.24, 1.25 and 1.26.

WARNING docker-compose users: Update from 1.18 or earlier? See the update notes or you might loose private keys!

• Parsing and formatting of names now correctly escapes or quotes special characters.
• django_ca.utils.shlex_split() was renamed to django_ca.utils.split_str. The old name will be removed in django_ca==1.22.
• Require a CommonName when generating a CA instead of implicitly setting the human-readable name if no CommonName was given.
• Add support for cryptography 36.0.0.
• Add support for Alpine 3.15.
• Make log level and message format more easily configurable with LOG_LEVEL, LIBRARY_LOG_LEVEL and LOG_FORMAT.
• Drop pytz as dependency (and use datetime.timezone directly).
• Add mdlDS and mdlJWS X509 extensions for support mobile Driver Licence.
• Reworked installation instructions to link to a set of quickstart guides dedicated to each installation option.
• Add --bundle option to manage.py sign_cert to allow writing the whole certificate bundle.

ACMEv2 support

ACMEv2 support will be included and enabled by default starting with django-ca==1.22. You will still have
to enable the ACMEv2 interface for each CA that should provide one. The documentation has been updated to
assume that you want enable ACMEv2 support.

• Add support for updating an accounts email address.
• Add support for deactivating ACME accounts.
• Fix issuing certificates if settings.USE_TZ=True (fixes #82).
• Fix issuing certificates for root CAs (fixes #83).

Docker and docker-compose

• Update Docker image to be based on Alpine 3.15.
• Do not expose ports of internal daemons when using docker-compose.

Backwards incompatible changes

• Drop support for Python 3.6.
• Drop support for Django 3.1.
• Drop support for idna 2.8, 3.0 and 3.1.
• Removed the manage.py dump_ocsp_index command.
• Remove the --csr-format parameter to manage.py sign_cert (deprecated since 1.18.0).
• django_ca.utils.parse_csr() has been removed (deprecated since 1.18.0).

Deprecation notices

• This is the last release to support Django 2.2.
• This is the last release to support cryptography 3.3 and 3.4.
• This is the last release to support Alpine 3.12 and 3.13

• Fix "missing" migration in when using django-ca as a standalone app (fixes #79).
• Add support for cryptography 36.0 and Django 4.0.

WARNING: docker-compose users: See the update notes or you might loose private keys!

• Implement DNS-01 validation for ACMEv2. Note that ACMEv2 support is still experimental and disabled by default.
• Support rendering distinguished names with any NameOID known to cryptography.
• Support creating certificates with a subject containing a dnQualifier, PC, DC, title, uid and serialNumber.
• Only fetch expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.
• Ensure that a certificates issuer always matches the subject from the CA that signed it.
• Fix manage.py regenerate_ocsp_key with celery enabled.
• Fix parsing of ASN.1 OtherNames from the command line. Previously, UTF8 strings where not DER encoded.
• Fix ACMEv2 paths in NGINX configuration included in Docker images.
• Include a healthcheck script for uWSGI in the Docker image. Because the image is also shared for the Celery worker, it is not enabled by default, but the docker-compose configuration enables it.
• Add support for creating certificates with Boolean, Null, Integer, UniversalString, IA5String, GeneralizedTime and UTCTime values in the format described in ASN1_GENERATE_NCONF(3SSL).
• Preliminary support for OpenSSH CAs via EdDSA keys.
• The Docker image is now based on python:3.10-alpine3.14.
• Add support for Python 3.10.
• Add support for cryptography 35.0.0.
• Add support for idna 3.0, 3.1 and 3.2.

Backwards incompatible changes

• Drop support for cryptography 3.0, 3.1 and 3.2.
• Remove support for configuring absolute paths for manually configured django_ca.views.OCSPView. This functionality was officially supposed to be removed in django-ca 1.14.0.

Minor non-functional changes

• The whole source code is now type hinted.
• Consistently use f-strings for faster string formatting.
• Documentation is now always generated in nitpicky mode and with warnings turned into errors.
• Remove the now redundant html-check target for documentation generation.

Deprecation notices

• This is the last release to support Python 3.6.
• This is the last release to support Django 3.1.
• This is the last release to support idna<=3.1.
• The issuer_name field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.

• Use Alpine 3.13 and Python 3.9 in the Docker image.
• Include templates in installations via pip (fixes #72).

• Add support for Django 3.2.
• Prevent auto-completion of the CA password field in the admin interface.
• Improve CSR validation when using the admin interface.
• Check permissions when resigning certificates.
• Require the change certificate permission when revoking certificates.
• Preselect profile of original certificate when resigning certificates.
• Make sure that operators for OrderedSetExtension always return an instance of the implementing class, not of the base class.
• Certificate bundles now always end with a newline, as normal bundles do.
• Add setuptools extras for mysql and postgres.
• Add MySQL support for the Docker image.

Backwards incompatible changes

• Don't load configuration from localsettings.py (deprecated since 1.15.0).
• The x509 property and dump_certificate() where removed from CertificateAuthority and Certificate:
  • To access a string-encoded PEM use obj.pub.pem (was: obj.x509).
  • To update an instance with a certificate use update_certificate (was: obj.x509 = ...).
  • Use obj.pub.pem or obj.pub.der to get an encoded certificate (was: obj.dump_certificate()).
• Drop support for Django 3.0.
• Drop support for cryptography 2.8 and 2.9.
• Drop support for Celery 4.3 and 4.4.
• Drop support for idna 2.9.

Python API

• Store certificates and CSRs as bytes to improve access speed.

Linting and continuous integration

• Use GitHub Actions instead of Travis.
• Use pyproject.toml for all tools that support it.
• Code is now formatted with black.
• Code is now linted using pylint.
• Code is now fully type-hinted and type safe according to mypy. This
  requires the upcoming release of cryptography (current: 3.4).
• Documentation is now cleaned with doc8.
• Documentation is now spell-checked using sphinxcontrib.spelling.

Deprecation notices

• This is the last release to support cryptography 3.0, 3.1 and 3.2.
• Passing a str or bytes to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.
• Passing a str as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.
• django_ca.utils.parse_csr() is no longer useful and will be removed in django-ca 1.20.0.
• Creating an index for running an OCSP responder with openssl-ocsp(1SSL) is deprecated and will be removed in django-ca 1.20.0. The man page explicitly states it "is only useful for test and demonstration purposes", and we can solidly run our own responders by now.

• Update for compatibility with cryptography 3.4.
• Add support for Alpine 3.13.
• Due to cryptography requiring a relatively new version of Rust, support for Alpine<3.12 is dropped.

• Bugfix release for 1.17.0 to address packaging issues for wheels (when installed with pip install).
• Include acme submodule (fixes #67).
• Relax dependencies for josepy (fixes #68).
• Add tests in Dockerfile to make sure that these issues cannot happen again.

• New CA_DEFAUT_CA setting to consistently configure the CA used by default.
• Fix the --issuer-alt-name option for the init_ca/edit_ca management commands.
• Correctly handle IDNA domain names in URLs and certificates.
• Preliminary ACMEv2 support (disabled by default).
• CAs have new fields caa_identity, website and terms_of_service, which are used by ACME.
• Add support for Python 3.9.
• Add support for cryptography 3.1, 3.2 and 3.3.
• Start linting code with pylint.
• Secure CSRF and session cookies using Djangos SESSION_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and CSRF_COOKIE_SECURE settings.

Docker (Compose)

• Add thorough Quickstart with docker-compose.
• Collect static files on startup instead of during build. The latter causes problems with image updates.
• Make manage.py available as the manage shortcut.
• Add several security related headers to the admin interface (CSP, etc).
• Include a template for a complete TLS configuration.

Backwards incompatible changes

• Drop support for Python 3.5.
• Drop support for cryptography 2.7.
• Drop support for Celery 4.2.
• Drop support for idna 2.8.

Deprecation notices

• This is the last release to support Celery 4.3 and 4.4.
• This is the last release to support cryptography 2.8 and 2.9.
• This is the last release to support Django 3.0 (2.2 LTS will still be supported).
• This is the last release to support idna 2.9.
• This is the last release to support Alpine 3.10.

• This is a bugfix release for 1.16.0 that mostly addresses CRL validation issues.
• Add support for cryptography 3.1.
• Fix OCSP, Issuer and CRL URLs for intermediate CAs that are not a direct child of a root CA.
• Fix AuthorityKeyIdentifier in CRLs for intermediate CAs (see #65).
• Properly handle CommonNames which are not parseable as SubjectAlternativeName in admin interface (see #62).
• Minor documentation updates (see #63)
• Fix error in manage.py notify_expiring_certs in non-timezone aware setups.
• Override terminal size when running test cases, otherwise the output of argparse depends on the terminal size, leading to test failures on large terminals.

• Add support for cryptography 2.9 and 3.0.
• Add support for Django 3.1.
• The docker image is now based on Alpine Linux 3.12.
• Update redis to version 6 and nginx version 18 when using docker-compose
• Finally update Sphinx since numpydoc#215 is finally fixed.
• The profile used to generate the certificate is now stored in the database.
• It is no longer optional to select a profile in the admin interface when creating a certificate.
• Certificates have a new autogenerated boolean flag, which is True for automatically generated OCSP certificates.
• The admin interface will list only valid and non-autogenerated certificates by default.

Backwards incompatible changes

• Drop support for Django 1.11 and 2.1.
• Drop support for Celery 4.0 and 4.1.
• Drop support for OpenSSL 1.1.0f and earlier. This affects Debian oldoldstable (jessie), Ubuntu 16.04 and Alpine 3.8.
• Certificate.objects.init() and profiles.get_cert_profile_kwargs() were removed. Use Certificate.objects.create_cert() instead.

Deprecation notices

• This is the last release to support Python 3.5.
• This is the last release to support cryptography 2.7.
• This is the last release to support Celery 4.2.
• This is the last release to support idna 2.8.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.

• Add support for Django 3.0.
• The docker image is now based on Alpine Linux 3.11.
• The default project now supports configuring django-ca using YAML configuration files. Configuration using localsettings.py is now deprecated and will be removed in django-ca>=1.18.0.
• Start supporting Celery tasks to allow running tasks in a distributed, asynchronous task queue. Some tasks will automatically be run with Celery if it is enabled. Celery is used automatically if installed, but can always be disabled by setting CA_USE_CELERY=False.
• Drop dependency six (since we no longer support Python 2.7).
• Allow caching of CRLs via manage.py cache_crls.
• The manage.py init_ca command will now automatically cache CRLs and generate OCSP keys for the new CA.
• Support POSTGRES_* and MYSQL_* environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.
• There now are setuptools extras for redis and celery, so you can install all required dependencies at once.
• Add CA_PASSWORDS setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.
• Add CA_CRL_PROFILES setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.
• django_ca.extensions.AuthorityKeyIdentifier now also supports issuers and serials.
• django_ca.utils.parse_general_name() now returns a cryptography.x509.GeneralName unchanged, but throws an error if the name isn't a str otherwise.
• New class django_ca.utils.GeneralNameList for extensions that store a list of general names.
• Add support for the django_ca.extensions.FreshestCRL extension.
• Store CA private keys in the ca/ subdirectory by default, the directory can be configured using manage.py init_ca --path=....

Backwards incompatible changes

• Drop support for Python 2.7.
• Drop support for cryptography 2.5 and 2.6.
• Drop support for Alpine 3.8 (because PostgreSQL and MySQL depend on libressl).
• Removed the manage.py migrate_ca command. If you upgrade from before 1.12.0, upgrade to 1.14.0 first and update file storage.
• Removed the ca_crl setting in django_ca.views.CertificateRevocationListView, use scope instead.

Docker

• Add a docker-compose.yml file to quickly launch a complete service stack.
• Add support for Celery, MySQL, PostgreSQL and Redis.
• Change the working directory to /usr/src/django-ca/ca, so manage.py can now be invoked using python manage.py instead of python ca/manage.py.
• Add a Celery startup script (./celery.sh).
• Add a nginx configuration template at nginx/default.template.
• Static files are now included in a "collected" form, so they don't have to collected on startup.
• Generate OCSP keys and cache CRLs on startup.
• Use BuildKit to massively speed up the Docker image build.

Bugfixes

• Fix generation of CRLs and OCSP keys for CAs with a DSA private key.
• Fix storing an empty list of CRL URLs in some corner cases (when the function receives an empty list).
• Fix naming CAs via serial on the command line if the serial starts with a zero.
• Consistently style serials in a monospace font in admin interface.
• The ocsp profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.

Deprecation notices

• This is the last release to support Django 1.11 and 2.1.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• Certificate.objects.init() and django_ca.profiles.get_cert_profile_kwargs were deprecated in 1.14.0 and will be removed in django-ca==1.16.0. Use Certificate.objects.create_cert() instead.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.

• regenerate_ocsp_keys now has a quiet mode and only generates keys where the CA private key is available.
• Minor changes to make the release compatible with Django 3.0a1.
• Introduce a new, more flexible format for the The format of the CA_PROFILES setting. The new Profiles page provides more information and migration instructions
• New dependency: six, since Django 3.0 no longer includes it.
• New dependency: asn1crypto, since cryptography no longer depends on it.
• Serials are now zero-padded when output so that the last element always consists of two characters.
• More consistently output serials with colons, use a monospace font in the admin interface.
• Fix profile selection in the admin interface.
• Fix display of values from CSR in the admin interface.
• Add a copy-button next to values from the CSR to enable easy copy/paste from the CSR.
• Test suite now includes Selenium tests for all JavaScript functionality.
• dev.py coverage can now output a text summary using --format=text.

Backwards incompatible changes

• Drop support for cryptography 2.3 and 2.4.
• Drop support for idna 2.7.
• Extensions now always expect a dict or a cryptography extension as a value. Anything else was unused in practice.
• KeyUsage, ExtendedKeyUsage and TLSFeature now behave like an ordered set and support all operators that a set does.
• Running an OCSP responder using oscrypto/ocspbuilder is no longer supported.

Extensions

• KeyUsage is now marked as critical by default.
• ExtendedKeyUsage now supports the anyExtendedKeyUsage OID.

Deprecation notices

• This is the last release to support Python 2.7.
• This is the last release to support cryptography 2.5 and 2.6.
• This is the last release to be tested with Alpine 3.7.
• This is the last release to support updating CA private keys to the Filestorage API. python manage.py migrate_ca will be removed in the next release.
• This will be the last release to support the ca_crl setting in CertificateRevocationListView.
• Certificate.objects.init() has been deprecated in favor of Certificate.objects.create_cert(). The old method will be removed in django-ca==1.16.
• get_cert_profile_kwargs() was only used by init() and will thus also be removed in django-ca==1.16.
• The old format for CA_PROFILES will be supported until django-ca==1.16. Please see Update from django-ca<=1.13 for migration instructions.

• Add support for cryptography 2.7.
• Moved setup.py recreate_fixtures to recreate-fixtures.py.
• Moved all other extra setup.py commands to dev.py to remove clutter.
• Move fab init_demo to dev.py init-demo.
• Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography documentation also suggests OpenSSL.
• The Fabric file has been removed.
• Remove the CA_PROVIDE_GENERIC_CRL setting, the default URL configuration now includes it.
• The docker image is now based on Alpine Linux 3.10.
• BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.2.
• BACKWARDS INCOMPATIBLE: Drop support for idna 2.6.

Deprecation Notices

• This is the last release to support cryptography 2.3 and 2.4.
• This is the last release to support idna 2.7.
• This is the last release to support OCSP using oscrypto/ocspbuilder.
• CertificateRevocationListView.ca_cr is deprecated in favor of the scope parameter. If you have set ca_crl=True just set scope="ca" instead.
• A new more extendable format for the CA_PROFILES setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.

Extensions

• Implement the CRLDistributionPoints extension and CertificatePolicies extension.
• Add the ipsecEndSystem, ipsecTunnel and ipsecUser extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
• Extensions now consistently serialize to dictionaries.

Command-line interface

• The view_ca command will now display the full path to the private key, if possible.
• The migrate_ca command now has a --dry parameter and has a updated help texts.
• The new regenerate_ocsp_keys command allows you to automatically generate OCSP keys that are used by the new default OCSP views.

Python API

• Add the root property to CAs and certificates returning the root Certificate Authority.
• sign_cert() now also accepts a CertificateSigningRequest as csr value.
• Add the issuer_url, crl_url, ocsp_url and issuer_alternative_name parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions parameter.
• Add the get_crl() function to get a CRL for the CA.
• Add the generate_ocsp_key() function to generate OCSP keys
  that are automatically picked up by the generic OCSP views.
• Both CertificateAuthority and Certificate now have a root property pointing to the Root CA.

OCSP

• The CA_DEFAULT_HOSTNAME setting is now used to set generic OCSP urls by default.
• The dump_ocsp_index management command now excludes certificates expired for more then a day or are not yet valid.

CRLs

• Issued CRLs now confirm to RFC 5280:

  • Add the CRL Number extension.
  • Add the Authority Key Identifier extension.

• Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5.

• Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.

• CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).

• Expose an API for creating CRLs via CertificateAuthority.get_crl().