Django app providing a Certificate Authority
GPL-3.0 License
Published by mathiasertl over 5 years ago
PrecertPoison
and OCSPNoCheck
extensions.PrecertificateSignedCertificateTimestamps
extension, currently can only be used for reading existing certificates.django-ca now uses the File storage API to store CA private keys as well as files configured for OCSP views. This allows you to use different storage backends (e.g. from django-storages to store files on a filesystem shared between different servers, e.g. to provide a redundant setup.
NOTE: The switch does require some manual intervention when upgrading. The old way of storing files is still supported and will continue to work until version 1.14. Please see the upgrade notes for information on how to upgrade.
cryptography>=2.4
is installed.django_ca.views.OCSPBaseView.responder_key
may now also be a relative path to be used with the Django storage system.django_ca.views.OCSPBaseView.responder_cert
may now also be a relative path to be used with the Django storage system.django_ca.views.OCSPBaseView.responder_cert
may now also be a pre-loaded certificate. If you still use cryptography<2.4
use a oscrypto.asymmetric.Certificate
, for newer versions you must use a cryptography.x509.Certificate
.Published by mathiasertl almost 6 years ago
dump_ca
and dump_cert
can now dump whole certificate bundles.This release will be the last release to support some software versions:
subjectAltName
parameter of Certificate.objects.init() to subject_alternative_name
to be consistent with other extensions.name_constraints
parameter in CertificateAuthority.objects.init().extra_extensions
parameter.dict
method.docker_test
setup.py command to test the image using various alpine-based images.Published by mathiasertl almost 6 years ago
list_cas
now optionally supports a tree view.--tls-features
option of the sign_cert
command to --tls-feature
, in line with the actual name of the extension.TLSFeature
extension in profiles.cmd_e2e
to call manage.py
scripts in a way that arguments are passed by argparse as if they where called from the command-line. This allows more complete testing including parsing commandline arguments.python:3-alpine
(instead of python:3
), yielding a much smaller image (~965MB -> ~235MB).uwsgi.ini
for fast deployments with the uwsgi protocol.DJANGO_CA_UWSGI_PARAMS
environment variable./usr/share/django-ca/
as named volume, allowing a setup where an external webserver serves static files.NOTE: This version was actually released on 2018-07-08, but the GitHub release was omitted.
CA_CUSTOM_APPS
setting to let users that use django-ca as a standalone project add custom apps, e.g. to register signals.smartcardLogon
and msKDC
extended key usage types. They are needed for some AD and OpenLDAP improvements (see #46)idna
versions (".com" now also throws an error).Published by mathiasertl almost 7 years ago
pathlen
attribute of the parent CA to make sure that the resulting CA is not invalid.CA_OCSP_URL
.fab init_demo
a lot more useful by signing certificates with the client CA and include CRLfab init_demo
and documentation generation through Travis-CI.,
instead of a ;
, for consistency with otherContent-Type
header of CRL responses now defaults to the correct value regardless of type (DER or PEM) used.CA_OCSP_URLS
, an OCSP internal error is returned instead of an uncought exception.hex(0L)
returns "0x0L"
.Published by mathiasertl about 7 years ago
USE_TZ
is True
.init_ca
under Windows.validate_email
. cryptography 2.1 no longercryptography>=2.1
. Older versions should not be broken, but the output changesPublished by mathiasertl over 7 years ago
>=1.8
. The previously pinned version is incompatible with Python 3.5.django.urls.reverse
so they are compatible with Django 2.0 and 1.8.manage.py check
exit status is not ignored for setup.py code_quality
.isort
.import_ca
and import_cert
so users can import existing CAs and certificates (#23).Published by mathiasertl over 7 years ago
manage.py sign_cert
.manage.py dump_crl
.--cn-in-san
option).django_ca.views.OCSPView
, the responder key and certificate are verified during configuration. An erroneous configuration thus throws an error on startup, not during runtime.pyOpenSSL
, so an independent library is used for verification.authorityKeyIdentifier
extension when signing certificates with an intermediate CA.Published by mathiasertl over 7 years ago
max_length
parameter.tlsfeature
extension is no longer supported. It will be again once cryptography adds support.msCodeInd
, msCodeCom
, msCTLSign
, msEFS
values for the ExtendedKeyUsage extension areTEXT
is no longer a supported output format for dumping certificates.keyUsage
extension is now marked as critical for certificate authorities.privilegeWithdrawn
and aACompromise
attributes for revocation lists.Published by mathiasertl over 7 years ago
cryptography
in the ongoing process to deprecatePublished by mathiasertl about 8 years ago
--days
parameter of the sign_cert
command to --expires
to match what we use for init_ca
.--init-ca
and --sign-cert
by further grouping arguments into argument groups.--ca-*
options.nameConstraints
X509 extension when creating CAs. The option to the init_ca
command is --name-constraint
and can be given multiple times to indicate multiple constraints.tlsfeature
extension, a.k.a. "TLS Must Staple". Since OpenSSL 1.1 is required for this extension, support is currently totally untested.Published by mathiasertl about 8 years ago
fab init_demo
now actually creates an intermediate CA.--parent
parameter for``manage.py init_ca`Published by mathiasertl about 8 years ago
manage.py init_ca
and manage.py sign_cert
is now given in themanage.py dump_crl
now uses the--expires
instead of the old --days
parameter.