Django app providing a Certificate Authority
GPL-3.0 License
[!NOTE]
django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.
[!NOTE]
Docker Compose users: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
Django~=5.0
, cryptography~=42
, acme==2.8.0
and acme==2.9.0
.pydantic>=2.5
is now a required dependency.CA_FILE_STORAGE
and CA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0
. Installations as Django app must add a "django-ca"
storage alias in their configuration.--sign-ca-issuer
, --sign-ocsp-responder
and --sign-issuer-alternative-name
options to manage.py sign_cert
etc. now support any general name type and giving multiple general names.--sign-crl-distribution-points-critical
.manage.py sign_cert
--cn-in-san
option was removed.This version adds support for "key backends", allowing you to store and use private keys in different places,
for example the file system or a Hardware Security Module (HSM). At present, the only backend available uses
the Django file storage API, usually storing private keys on the file system.
Future versions will add support for other ways to handle private keys, including HSMs.
[!NOTE]
The REST API is still experimental and endpoints will change without notice.
The update to django-ninja 1.1 and Pydantic brings a general update on how extensions are represented. Any
code using the API will have to be updated.
django-ninja==1.1.0
, including a full migration to Pydantic 2.type
parameter indicating the extension type.Django~=3.2
, acme==1.26.0
and Alpine~=3.16
.django_ca.extensions.serialize_extension()
is removed and replaced by Pydantic serialization.cryptography~=41.0
, acme~=2.7.0
and acme~=2.8.0
.django_ca.extensions.parse_extension()
is deprecated and should not longer be used. Use Pydantic models instead.manage.py convert_timestamps
command will be removed in django-ca==2.0
.CA_FILE_STORAGE
and CA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed in django-ca==2.0
.Published by mathiasertl 11 months ago
NOTE: django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see
RFC 4514 subjects for migration information.
--subject-format=rfc4514
option. This format will become the default in django-ca 2.0.--issuer-url
, --issuer-alt-name
, --crl-url
and --ocsp-url
options for manage.py init_ca
, manage.py edit_ca
and manage.py import_ca
in favor of --sign-ca-issuer
, --sign-issuer-alternative-name
, --sign-crl-full-name
and --sign-ocsp-responder
.Django==4.1
, cryptography==40.x
, acme==1.25.0
and celery==5.2.x
.NOTE: The REST API is still experimental and endpoints will change without notice.
--enable-api
flag for manage.py init_ca
, manage.py edit_ca
and manage.py import_ca
.Published by mathiasertl about 1 year ago
POSTGRES_
configuration environment variables when using the default PostgreSQL backend. It previously only worked for an old, outdated alias name.django_ca/
prefix).False
.ECC
and EdDSA
as key types (e.g when using :command:manage.py init_ca
) was removed. Use EC
and Ed25519
instead. The old names where deprecated since 1.23.0.--pathlen
and --no-pathlen
options for manage.py init_ca
in favor of --path-length
and -no-path-length
. The old options where deprecated since 1.24.0.--key-usage
, --extended-key-usage
and --tls-feature
command-line options was removed. The old format was deprecated since 1.24.0.Published by mathiasertl over 1 year ago
psycopg3
for using Psycopg 3. This extra will be removed once support for Django 3.2 is removed. Psycopg 3 will be required in the postgres
extra from then on.manage.py import_ca
.manage.py init_ca
and manage.py edit_ca
are renamed. See the update notes for more information.CA_DIGEST_ALGORITHM
setting was removed. Use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead.CA_DEFAULT_ECC_CURVE
setting was removed. Use CA_DEFAULT_ELLIPTIC_CURVE instead.--algorithm
argument was removed.--elliptic-curve
argument was removed.--ecc-curve
for --elliptic-curve
was removed.manage.py init_ca
and manage.py edit_ca
are renamed, old options will be removed in django-ca 1.27.0. See the update notes for more information.Published by mathiasertl over 1 year ago
True
in the Django project. See Switch to USE_TZ=True by default for update information.USE_TZ=True
. See Switch to USE_TZ=True by default for update information.manage.py resign_cert
.Continuing the standardization effort started in 1.23.0, some options have been replaced and/or use a
different syntax. See the update notes for more detailed instructions.
--pathlen
and --no-pathlen
parameters for manage.py init_ca
were renamed to --path-length
and --no-path-length
.--key-usage
option was changed to/split into --key-usage
and --key-usage-non-critical
. --key-usage
takes multiple option values instead of a single coma-separated list.--ext-key-usage
option was changed to/split into --extended-key-usage
and --extended-key-usage-critical
. --extended-key-usage
takes multiple option values instead of a single coma-separated list.--tls-feature
option was changed to/split into --tls-feature
and --tls-feature-critical
. --tls-feature
takes multiple option values instead of a single coma-separated list.manage.py init_ca
.manage.py init_ca
.manage.py sign_cert
or manage.py resign_cert
.manage.py revoke_cert
.--ext-key-usage
flag to manage.py sign_cert
was replaced with --extended-key-usage
.pre_issue_cert
was removed. Use the pre_sign_cert signal instead.Removed in django-ca==1.25.0
:
CA_DIGEST_ALGORITHM
setting, use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM
instead.CA_DEFAULT_ECC_CURVE
setting, use CA_DEFAULT_ELLIPTIC_CURVE
instead.sha512
, use SHA-512
instead).SECP384R1
, use secp384r1
instead).Removed in django-ca==1.26.0
:
cryptography==39
and acme==2.4.0
(other versions may removed depending on release time).ECC
and EdDSA
as key type. Use EC
and Ed25519
instead.--pathlen
and --no-pathlen
parameters to manage.py init_ca
will be removed. Use --path-length
and --no-path-length
instead.--key-usage
, --extended-key-usage
and --tls-feature
. Use lists instead (e.g. --key-usage keyAgreement keyEncipherment
instead of --key usagekeyAgreement,keyEncipherment
.status_request
and status_request_v2
instead.Published by mathiasertl over 1 year ago
built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>
_ in the docker compose setup.Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.
Limitations:
Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.
Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.
Because the the user can now modify the extensions directly, the add_*
directives for a profile now have no effect when issuing a certificate through the admin interface.
termsOfService
field during registration.python:3.11-alpine3.17
.--ca-crl
parameter in manage.py dump_crl
(this was a left over and has been marked as deprecated since 1.12.0).django-redis-cache
from the redis
extra, as the project is abandoned. Please switch to the built in redis cache instead. If you still use Django 3.2, please manually install the backend.ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION
was removed, use the identical ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC
instead.acme
extra will be removed in in the next release.pre_issue_cert
is deprecated and will be removed in django_ca==1.24.0
. Use the new pre_sign_cert signal instead.django_ca.subject.Subject
is deprecated and will be removed in django-ca==1.24.0
.django_ca.extensions
are deprecated and will be removed in django_ca==1.24.0
.Published by mathiasertl over 2 years ago
acme
extra is now empty (and will be removed in django-ca==1.23.0
).dict
will be removed in django-ca==1.23.0
.SECRET_KEY
setting when using docker and docker-compose.acme
extra will be removed in django-ca==1.23.0
.CA_DEFAULT_SUBJECT
setting will be removed in django-ca==1.23.0
.Published by mathiasertl almost 3 years ago
WARNING docker-compose users: Update from 1.18 or earlier? See the update notes or you might loose private keys!
django_ca.utils.shlex_split()
was renamed to django_ca.utils.split_str
. The old name will be removed in django_ca==1.22
.pytz
as dependency (and use datetime.timezone
directly).--bundle
option to manage.py sign_cert
to allow writing the whole certificate bundle.ACMEv2 support will be included and enabled by default starting with django-ca==1.22
. You will still have
to enable the ACMEv2 interface for each CA that should provide one. The documentation has been updated to
assume that you want enable ACMEv2 support.
settings.USE_TZ=True
(fixes #82).manage.py dump_ocsp_index
command.--csr-format
parameter to manage.py sign_cert
(deprecated since 1.18.0).django_ca.utils.parse_csr()
has been removed (deprecated since 1.18.0).Published by mathiasertl almost 3 years ago
Published by mathiasertl about 3 years ago
WARNING: docker-compose users: See the update notes or you might loose private keys!
dnQualifier
, PC
, DC
, title
, uid
and serialNumber
.issuer
always matches the subject
from the CA that signed it.manage.py regenerate_ocsp_key
with celery enabled.UTF8
strings where not DER encoded.EdDSA
keys.python:3.10-alpine3.14
.html-check
target for documentation generation.idna<=3.1
.issuer_name
field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.Published by mathiasertl over 3 years ago
Published by mathiasertl over 3 years ago
change certificate
permission when revoking certificates.mysql
and postgres
.localsettings.py
(deprecated since 1.15.0
).x509
property and dump_certificate()
where removed from CertificateAuthority and Certificate:
obj.pub.pem
(was: obj.x509
).obj.x509 = ...
).obj.pub.pem
or obj.pub.der
to get an encoded certificate (was: obj.dump_certificate()
).pyproject.toml
for all tools that support it.str
or bytes
to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.str
as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.Published by mathiasertl over 3 years ago
Published by mathiasertl over 3 years ago
Published by mathiasertl almost 4 years ago
--issuer-alt-name
option for the init_ca/edit_ca management commands.caa_identity
, website
and terms_of_service
, which are used by ACME.SESSION_COOKIE_SECURE
, CSRF_COOKIE_HTTPONLY
and CSRF_COOKIE_SECURE
settings.manage.py
available as the manage
shortcut.Published by mathiasertl about 4 years ago
manage.py notify_expiring_certs
in non-timezone aware setups.Published by mathiasertl about 4 years ago
redis
to version 6 and nginx version 18 when using docker-composeautogenerated
boolean flag, which is True
for automatically generated OCSP certificates.Certificate.objects.init()
and profiles.get_cert_profile_kwargs()
were removed. Use Certificate.objects.create_cert() instead.localsetttings.py
files in django-ca>=1.18.0
.CA_PROFILES
setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0
. Please see the migration instructions for what to change.Published by mathiasertl almost 5 years ago
localsettings.py
is now deprecated and will be removed in django-ca>=1.18.0
.CA_USE_CELERY=False
.six
(since we no longer support Python 2.7).manage.py cache_crls
.manage.py init_ca
command will now automatically cache CRLs and generate OCSP keys for the new CA.POSTGRES_*
and MYSQL_*
environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.redis
and celery
, so you can install all required dependencies at once.CA_PASSWORDS
setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.CA_CRL_PROFILES
setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.django_ca.extensions.AuthorityKeyIdentifier
now also supports issuers and serials.django_ca.utils.parse_general_name()
now returns a cryptography.x509.GeneralName
unchanged, but throws an error if the name isn't a str
otherwise.django_ca.utils.GeneralNameList
for extensions that store a list of general names.django_ca.extensions.FreshestCRL
extension.ca/
subdirectory by default, the directory can be configured using manage.py init_ca --path=...
.manage.py migrate_ca
command. If you upgrade from before 1.12.0, upgrade to 1.14.0 first and update file storage.ca_crl
setting in django_ca.views.CertificateRevocationListView
, use scope
instead./usr/src/django-ca/ca
, so manage.py can now be invoked using python manage.py
instead of python ca/manage.py
../celery.sh
).nginx/default.template
.ocsp
profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.localsetttings.py
files in django-ca>=1.18.0
.Certificate.objects.init()
and django_ca.profiles.get_cert_profile_kwargs
were deprecated in 1.14.0 and will be removed in django-ca==1.16.0
. Use Certificate.objects.create_cert()
instead.CA_PROFILES
setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0
. Please see the migration instructions for what to change.Published by mathiasertl almost 5 years ago
regenerate_ocsp_keys
now has a quiet mode and only generates keys where the CA private key is available.dev.py coverage
can now output a text summary using --format=text
.oscrypto
/ocspbuilder
is no longer supported.anyExtendedKeyUsage
OID.python manage.py migrate_ca
will be removed in the next release.ca_crl
setting in CertificateRevocationListView.django-ca==1.16
.django-ca==1.16
.CA_PROFILES
will be supported until django-ca==1.16
. Please see Update from django-ca<=1.13 for migration instructions.Published by mathiasertl over 5 years ago
setup.py recreate_fixtures
to recreate-fixtures.py
.setup.py
commands to dev.py
to remove clutter.fab init_demo
to dev.py init-demo
.CA_PROVIDE_GENERIC_CRL
setting, the default URL configuration now includes it.oscrypto
/ocspbuilder
.CertificateRevocationListView.ca_cr
is deprecated in favor of the scope
parameter. If you have set ca_crl=True
just set scope="ca"
instead.ipsecEndSystem
, ipsecTunnel
and ipsecUser
extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.view_ca
command will now display the full path to the private key, if possible.migrate_ca
command now has a --dry
parameter and has a updated help texts.regenerate_ocsp_keys
command allows you to automatically generate OCSP keys that are used by the new default OCSP views.root
property to CAs and certificates returning the root Certificate Authority.csr
value.issuer_url
, crl_url
, ocsp_url
and issuer_alternative_name
parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions
parameter.root
property pointing to the Root CA.dump_ocsp_index
management command now excludes certificates expired for more then a day or are not yet valid.Issued CRLs now confirm to RFC 5280:
Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5
.
Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.
CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).
Expose an API for creating CRLs via CertificateAuthority.get_crl().