Releases: mathiasertl/django-ca
2.1.1 (2025-01-05)
- Security: No longer allow clients to update other accounts.
- Fix celery startup script so that the directory containing the secret key is created correctly.
2.1.0 (2024-12-26)
Docker image
- The main Docker image is now based off Debian instead of Alpine. The Alpine image is still provided with the
-alpine
suffix (e.g.mathiasertl/django-ca:2.1.0-alpine
). - Include the
hsm
andmysql
extras in the image. - The Alpine image is now based on Alpine 3.21.
Certificate Revocation Lists
- Certificate Revocation Lists (CRLs) are now stored in the database via the CertificateRevocationList model. This makes CRLs more robust, as clearing the cache will no longer cause an error.
OCSP responder keys
- Private keys for OCSP responders are now stored using configurable backends, just like private keys for certificate authorities. See OCSP key backends for more information.
- Add a HSM OCSP key backend to allow storing OCSP keys in a HSM (Hardware Security Module).
- Add a Database OCSP key backend to allow storing OCSP keys in the database.
Key backends
- Add a Database backend to allow storing private keys in the database. This backend makes the private key accessible to any frontend-facing web server and is thus less secure then other backends, but is an option if your environment has no file system available.
- Remove the
get_ocsp_key_size()
andget_ocsp_key_elliptic_curve()
from the core key backend interface, as they are now handled by OCSP key backends
Command-line utilities
- Add the
-only-some-reasons
parameter tomanage.py dump_crl
. - The
--scope
parameter tomanage.py dump_crl
is deprecated and will be removed in django-ca 2.3.0. Use--only-contains-ca-certs
,--only-contains-user-certs
or--only-contains-attribute-certs
instead. - BACKWARDS INCOMPATIBLE: The
--algorithm
parameter tomanage.py dump_crl
no longer has any effect and will be removed in django-ca 2.3.0.
REST API
- When requesting a new certificate, validate the submitted CSR before relaying the order to the backend (fixes #15).
- Support for the Admissions extension when
cryptography>=44
is used.
Settings
- The
encodings
parameter to CA_CRL_PROFILES was removed. Both encodings are now always available. - The
scope
parameter to CA_CRL_PROFILES is now deprecated in favor of theonly_contains_ca_certs
,only_contains_user_certs
andonly_some_reasons
parameters. The old parameter currently still takes precedence, but will be removed in django-ca 2.3.0.
Dependencies
- Add support for Python 3.13,
cryptography~=44.0
,pydantic~=2.10.0
andacme~=3.0.0
. - BACKWARDS INCOMPATIBLE: Dropped support for
pydantic~=2.7.0
,pydantic~=2.8.0
,cryptography~=42.0
andacme~=2.10.0
.
Python API
-
Functions that create a certificate now take a
not_after
parameter, replacingexpires
. Theexpires
parameter is deprecated and will be removed in django-ca 2.3.0. The following functions are affected: -
get_crl_cache_key() added the
only_contains_ca_certs
,only_contains_user_certs
,only_contains_attribute_certs
andonly_some_reasons
arguments. -
BACKWARDS INCOMPATIBLE: The
scope
argument for get_crl_cache_key() was removed. Use the parameters described above instead.
Database models
- Rename the
valid_from
tonot_before
andexpires
tonot_after
to align with the terminology used in RFC 5280. The previous read-only property was removed. - Add the CertificateRevocationList model to store generated CRLs.
- django_ca.models.CertificateAuthority.get_crl_certs() and django_ca.models.CertificateAuthority.get_crl() are deprecated and will be removed in django-ca 2.3.0.
- BACKWARDS INCOMPATIBLE: The
algorithm
,counter
,full_name
,relative_name
andinclude_issuing_distribution_point
parameters for django_ca.models.CertificateAuthority.get_crl() no longer have any effect.
Views
-
The CertificateRevocationListView has numerous updates:
- BACKWARDS INCOMPATIBLE: The
password
parameter was removed. Use the CA_PASSWORDS setting instead (deprecated since django-ca 1.29.0). - The
expires
parameter now has a default of86400
(from600
) to align with defaults elsewhere. - The
scope
parameter is deprecated and will be removed in django-ca 2.3.0. Useonly_contains_ca_certs
andonly_contains_user_certs
instead. - The
include_issuing_distribution_point
no longer has any effect and will be removed in django-ca 2.3.0.
- BACKWARDS INCOMPATIBLE: The
Deprecation notices
Please also see the deprecation timeline for previous deprecation notices.
- This will be the last release to support
django~=5.0.0
,cryptography~=43.0
,pydantic~=2.9.0
andacme~=2.9.0
. - This will be the last release to support Ubuntu 20.04 and Alpine 3.18.
- Support for Python 3.9 and
django~=4.2.0
will be dropped indjango-ca==2.3.0
.
2.0.0 (2024-09-29)
General
- Add (preliminary) support for storing private keys in a hardware security module (HSM). See Key backends for more information.
Command-line utilities
- Subjects are now parsed in the RFC 4514 format by default. Subjects in the OpenSSL-style format are still supported via the
--subject-format=openssl
option, but support for it will be removed in 2.0.0. - Removed the
convert_timestamps
command (deprecated since 1.28.0).
Dependencies
- Add support for
Django~=5.1.0
,cryptography~=43.0
andpydantic~=2.8.0
andpydantic~=2.9.0
. - BACKWARDS INCOMPATIBLE: Dropped support for
pydantic<2.7.0
,acme~=2.9.0
andCelery~=5.3.0
. - Remove the
psycopg3
pip extra, use thepostgres
extra instead. - Drop support for Alpine 3.17.
Python API
-
django_ca.utils.parse_encoding no longer accepts an already parsed Encoding.
-
django_ca.utils.parse_expires()
anddjango_ca.utils.parse_key_curve
where removed. -
CertificateAuthorityManager.objects.init() no longer accepts
int
ortimedelta
for expires. Pass a timezone-aware object instead. -
django_ca.profiles.Profile no longer accepts unparsed extension values:
- An
int
forexpires
- pass atimedelta
instead. - A
str
or iterable ofstr
-tuples forsubject
- pass a cryptography.x509.Name instead. - Deprecated extensions formats in
extensions
.
Note that this does not affect configuration in settings, as these values are parsed before passed to this
class. - An
-
django_ca.profiles.Profile.create_cert no longer accepts
int
for expires. Pass atimedelta
instead.
Docker/Docker Compose
- Update NGINX to 1.26.0.
Deprecation notices
- This will be the last release to support
pydantic~=2.7.0
,pydantic~=2.8.0
,cryptography~=42.0
andacme~=2.10.0
. django_ca.utils.get_storage()
will be removed in 2.2.0.
1.29.0 (2024-07-01)
1.28.0 (2024-03-30)
Note
django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.
Note
Docker Compose users: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
Major changes
- Add support for
Django~=5.0
,cryptography~=42
,acme==2.8.0
andacme==2.9.0
. - Docker Compose: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
pydantic>=2.5
is now a required dependency.- Preparations for support for using Hardware Security Modules, "Key backend support" below.
- The
CA_FILE_STORAGE
andCA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed indjango-ca==2.0
. Installations as Django app must add a"django-ca"
storage alias in their configuration. - The CA_PASSWORDS setting is now consistently used whenever required.
- Private keys (for CAs and OCSP responder certificates) are now stored as DER keys to improve loading speed.
- The admin interface now presents lists of general names (e.g. in the Subject Alternative Name extension) as a list of order-able key/value pairs when adding certificates.
- Extensions added by the CA when signing new certificates can now have the same complexity as when giving the extensions directly when signing the certificate:
- The
--sign-ca-issuer
,--sign-ocsp-responder
and--sign-issuer-alternative-name
options tomanage.py sign_cert
etc. now support any general name type and giving multiple general names. - The CRL Distribution Points extension added to certificates may now be marked as critical via
--sign-crl-distribution-points-critical
. - When editing a CA, the admin interface presents these fields in the same way as when signing a
certificate.
- The
- Remove the option to add the Common Name to the Subject Alternative Name extension, as the result is unpredictable:
- The
manage.py sign_cert
--cn-in-san
option was removed. - The checkbox in the admin interface was removed.
- The profile option no longer has any effect and issues a warning.
- The
- Add Pydantic models for cryptography classes. These are required for the REST API, but are also used internally for various places where serialization of objects is required.
- Support for configuring absolute paths for OCSP responder certificates in manual OCSP views was removed. This was a left over, it was deprecated and issued a warning since 2019.
- Fixed bash shortcut if installing from source to allow spaces (fixes #123).
Key backend support
This version adds support for "key backends", allowing you to store and use private keys in different places,
for example the file system or a Hardware Security Module (HSM). At present, the only backend available uses
the Django file storage API, usually storing private keys on the file system.
Future versions will add support for other ways to handle private keys, including HSMs.
REST API changes
Note
The REST API is still experimental and endpoints will change without notice.
The update to django-ninja 1.1 and Pydantic brings a general update on how extensions are represented. Any
code using the API will have to be updated.
- Update to
django-ninja==1.1.0
, including a full migration to Pydantic 2. - The format of extensions now includes a
type
parameter indicating the extension type. - Extension objects are now more in line with RFC 5280 and no longer use arbitrary abbreviations.
- Extensions are now represented as a list.
- General names are now represented as an object, instead of string that has to be parsed.
Backwards incompatible changes
- Docker Compose: The PostgreSQL version was updated to PostgreSQL 16. See PostgreSQL update for update instructions.
- Drop support for
Django~=3.2
,acme==1.26.0
andAlpine~=3.16
. django_ca.extensions.serialize_extension()
is removed and replaced by Pydantic serialization.
Deprecation notices
- This is the last release to support Python 3.8,
cryptography~=41.0
,acme~=2.7.0
andacme~=2.8.0
. - The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
- Support for OpenSSL-style subjects will be removed in django-ca 2.2.
django_ca.extensions.parse_extension()
is deprecated and should not longer be used. Use Pydantic models instead.- The
manage.py convert_timestamps
command will be removed indjango-ca==2.0
. - The
CA_FILE_STORAGE
andCA_FILE_STORAGE_KWARGS
settings are deprecated in favor of CA_KEY_BACKENDS and will be removed indjango-ca==2.0
.
1.27.0 (2023-11-26)
NOTE: django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see
RFC 4514 subjects for migration information.
- Add support for Python 3.12 and acme 2.7.0.
- Update the Docker image to use Alpine Linux 3.18 with Python 3.12.
- Add support for passing subjects in RFC 4514 format when creating certificate authorities and certificates via the
--subject-format=rfc4514
option. This format will become the default in django-ca 2.0. - Support for subjects in OpenSSL-style format when creating certificate authorities and certificates is deprecated and will issue a warning. Support for this format will be removed in django-ca 2.2.
- CA_DEFAULT_SUBJECT, subjects in profiles and CA_DEFAULT_NAME_ORDER now also support a dotted string to include arbitrary object identifiers.
- CA_DEFAULT_NAME_ORDER can now be configured in YAML files.
- Do not implicitly sort the subject of new certificate authorities according to CA_DEFAULT_NAME_ORDER. The user is expected to supply the correct order.
- When signing certificates via the command line, implicitly sort the subject only when the profile defines a subject and/or the CommonName is not given and added via the SubjectAlternativeName extension. If neither is the case, the user is expected to supply the correct order.
Backwards incompatible changes
- Removed support for the old
--issuer-url
,--issuer-alt-name
,--crl-url
and--ocsp-url
options formanage.py init_ca
,manage.py edit_ca
andmanage.py import_ca
in favor of--sign-ca-issuer
,--sign-issuer-alternative-name
,--sign-crl-full-name
and--sign-ocsp-responder
. - Support for non-standard algorithm names in profile settings was removed.
- Drop support for
Django==4.1
,cryptography==40.x
,acme==1.25.0
andcelery==5.2.x
.
Deprecation notices
- The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
- Support for OpenSSL-style subjects will be removed in django-ca 2.2.
- This is the last release to support Django 3.2.
- This is the last release to support acme 2.6.0.
- This is the last release to support Alpine 3.16.
REST API changes
NOTE: The REST API is still experimental and endpoints will change without notice.
- Certificate issuance is now asynchronous, similar to how certificates are issued via ACME. This enables using CAs where the private key is not directly available to the web server.
- The REST API must now be enabled explicitly for each certificate authority. This can be done via the admin interface or the
--enable-api
flag formanage.py init_ca
,manage.py edit_ca
andmanage.py import_ca
.
1.26.0 (2023-08-26)
- Add experimental support for a REST API (fixes #107).
- Add support for configuring certificate authorities to automatically include a Certificate Policy extension when signing certificates.
- Add support for configuring how long automatically generated OCSP responder certificates are valid.
- Add support for configuring how long OCSP responses of the automatically configured OCSP responder will be valid (fixes #102).
- The web interface now allows creating certificates with arbitrary or even empty subjects (fixes #77).
- The certificate subject is now displayed as a unambiguous list instead of a string. The issuer is now also shown in the same way.
- Fix NGINX configuration updates when using Docker Compose. The previous setup did not update configuration on update if parts of it changed.
- Fix
POSTGRES_
configuration environment variables when using the default PostgreSQL backend. It previously only worked for an old, outdated alias name. - The root URL path can now be configured via the CA_URL_PATH setting. This allows you to use shorter URLs (that is, without the
django_ca/
prefix). - The admin interface can now be disabled by setting the new ENABLE_ADMIN setting to
False
.
Backwards incompatible changes
- Drop support for cryptography 37 and cryptography 39, acme 2.4.0 and celery 5.1.
- Passing
ECC
andEdDSA
as key types (e.g when using :command:manage.py init_ca
) was removed. UseEC
andEd25519
instead. The old names where deprecated since 1.23.0. - Removed support for the old
--pathlen
and--no-pathlen
options formanage.py init_ca
in favor of--path-length
and-no-path-length
. The old options where deprecated since 1.24.0. - Using comma-separated lists for the
--key-usage
,--extended-key-usage
and--tls-feature
command-line options was removed. The old format was deprecated since 1.24.0. - Remove support for HTTP Public Key Pinning, as it is obsolete.
Deprecation notices
- This is the last release to support Django 4.1.
- This is the last release to support cryptography 40.
- This is the last release to support acme 2.5.0.
- This is the last release to support celery 5.2.
1.25.0 (2023-06-17)
- Add support for cryptography 41, acme 2.6.0 and celery 5.3.
- Update the Docker image to use Alpine Linux 3.18.
- Add support for adding the Certificate Policy and Issuer Alternative Name extensions when creating certificate authorities or end-entity certificates via the command-line.
- Add support for adding the Extended Key Usage, Issuer Alternative Name and Subject Alternative Name extensions when creating certificate authorities.
- Add support for overriding the Authority Information Access, CRL Distribution Points and OCSP No Check extensions when creating end-entity certificates via the command-line.
- Add support for string formatting operations on URL paths (see String formatting in URIs) in Authority Information Access and CRL Distribution Point extensions.
- Add a temporary pip extra
psycopg3
for using Psycopg 3. This extra will be removed once support for Django 3.2 is removed. Psycopg 3 will be required in thepostgres
extra from then on. - Fix import parameters to
manage.py import_ca
. - Further standardizing the command-line interface, some options for
manage.py init_ca
andmanage.py edit_ca
are renamed. See the update notes for more information.
Backwards incompatible changes
- Drop support for acme 2.3.0 and cryptography 38.
- The
CA_DIGEST_ALGORITHM
setting was removed. Use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead. - The
CA_DEFAULT_ECC_CURVE
setting was removed. Use CA_DEFAULT_ELLIPTIC_CURVE instead. - Support for non-standard algorithm names for the
--algorithm
argument was removed. - Support for non-standard elliptic curve names via the
--elliptic-curve
argument was removed. - Support for custom signature hash algorithms in CRLs was removed. The algorithm used for signing the certificate authority is now always used.
- The old alias
--ecc-curve
for--elliptic-curve
was removed.
Deprecation notices
- This is the last release to support cryptography 37 and cryptography 39.
- This is the last release to support acme 2.4.0.
- This is the last release to support celery 5.1.
- Support for non-standard algorithm names in profile settings will be removed in django-ca 1.27.0.
- Several options
manage.py init_ca
andmanage.py edit_ca
are renamed, old options will be removed in django-ca 1.27.0. See the update notes for more information.
1.24.0 (2023-05-01)
Warnings
- Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography version 38.
- docker or source users that do not use PostgreSQL: The USE_TZ setting was switched to
True
in the Django project. See Switch to USE_TZ=True by default for update information.
General changes
- Add support for cryptography 40.0, django 4.2 and acme 2.4.0 and 2.5.0.
- Use Django's timezone support by default by enabling
USE_TZ=True
. See Switch to USE_TZ=True by default for update information. - Make the default order of subjects configurable via CA_DEFAULT_NAME_ORDER.
- Certificates for OCSP responders now include the OCSPNoCheck extension by default.
- Certificates for OCSP responders now use a commonName designating the certificate as OCSP responder as subject, other fields from the CAs subject are discarded.
- A profile can now ignore CA_DEFAULT_SUBJECT by setting subject to False.
- Copy all extensions when using
manage.py resign_cert
. - Add support for multiple OCSP responder and CA Issuer entries when creating a certificate authority.
- Add typehints when installing as wheel.
Command-line interface
Continuing the standardization effort started in 1.23.0, some options have been replaced and/or use a
different syntax. See the update notes for more detailed instructions.
- The
--pathlen
and--no-pathlen
parameters formanage.py init_ca
were renamed to--path-length
and--no-path-length
. - The
--key-usage
option was changed to/split into--key-usage
and--key-usage-non-critical
.--key-usage
takes multiple option values instead of a single coma-separated list. - The
--ext-key-usage
option was changed to/split into--extended-key-usage
and--extended-key-usage-critical
.--extended-key-usage
takes multiple option values instead of a single coma-separated list. - The
--tls-feature
option was changed to/split into--tls-feature
and--tls-feature-critical
.--tls-feature
takes multiple option values instead of a single coma-separated list. - Add support for specifying a custom Key Usage extension when using
manage.py init_ca
. - Add support for adding the Inhibit anyPolicy, Policy Constraints and TLS feature extensions when using
manage.py init_ca
. - Add support for adding the OCSP No Check extension in when issuing certificates with
manage.py sign_cert
ormanage.py resign_cert
. - Add support for specifying a date when the certificate was compromised when revoking a certificate with
manage.py revoke_cert
.
Backwards incompatible changes
- The
--ext-key-usage
flag tomanage.py sign_cert
was replaced with--extended-key-usage
. - The critical flag for the Key Usage, Extended Key Usage and TLS Feature is now set with dedicated options, with the recommended value being the default. See above and the update notes for details.
- The
pre_issue_cert
was removed. Use the pre_sign_cert signal instead.
Deprecation notices
Removed in django-ca==1.25.0
:
- This is the last release to support acme 2.3.0 and cryptography 38 (cryptography 37 is still supported, see Warning: cryptography version 38).
- Support for the
CA_DIGEST_ALGORITHM
setting, useCA_DEFAULT_SIGNATURE_HASH_ALGORITHM
instead. - Support for the
CA_DEFAULT_ECC_CURVE
setting, useCA_DEFAULT_ELLIPTIC_CURVE
instead. - Support for non-standard algorithm names (e.g.
sha512
, useSHA-512
instead). - Support for non-standard elliptic key curve names (e.g.
SECP384R1
, usesecp384r1
instead).
Removed in django-ca==1.26.0
:
- Support for
cryptography==39
andacme==2.4.0
(other versions may removed depending on release time). - Support for using
ECC
andEdDSA
as key type. UseEC
andEd25519
instead. - The
--pathlen
and--no-pathlen
parameters tomanage.py init_ca
will be removed. Use--path-length
and--no-path-length
instead. - Support for coma-separated lists in
--key-usage
,--extended-key-usage
and--tls-feature
. Use lists instead (e.g.--key-usage keyAgreement keyEncipherment
instead of--key usagekeyAgreement,keyEncipherment
. - Support for non-standard TLS feature names "OCSPMustStaple" and "MultipleCertStatusRequest". Use
status_request
andstatus_request_v2
instead.
1.22.0 (2022-12-11)
WARNING
- docker compose users: Update from 1.20 or earlier? See the update notes to switch to named volumes.
- Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography 38.
Changes
- Add support for Python 3.11, Alpine 3.17, Django 4.1, cryptography 38.0 and acme 2.0.
- Support for MD5 and SHA1 hashes is removed, as they are no longer supported in upcoming releases of cryptography.
- New signals pre_sign_cert and post_sign_cert that receive the values as passed to the cryptography library.
- Add the ability to force inclusion/exclusion of the IssuingDistributionPoint extension in CRLs.
- Ensure that CRLs are regenerated periodically before the cache expires.
- Switch to the Djangos
built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>
_ in the docker compose setup.
Admin interface
-
Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.
Limitations:
- The CRL Distribution Points and Freshest CRL extensions can only modify the first distribution point. If the selected profile defines more then one distribution point, they are added after the one from the admin interface.
- The Certificate Policies extension cannot yet be modified. If the selected profile defines this extension, it is still added to the certificate.
-
Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.
-
Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.
-
Because the the user can now modify the extensions directly, the
add_*
directives for a profile now have no effect when issuing a certificate through the admin interface.
ACMEv2 support
- Handle clients that do not send the
termsOfService
field during registration. - Improve error handling when the CSR cannot be parsed.
- An ACME account is now considered usable if it never agreed to the terms of service and the certificate authority does not define any terms of service. Certain versions of certbot (at least version 1.31.0) never ask the user to agree to the terms of service if there are none to agree to.
- Allow clients to agree to the terms of service when updating the account.
Minor changes
- The Docker image is now based on
python:3.11-alpine3.17
. - Access Descriptions in the Authority Information Access extension will now always order OCSP URLs before CA Issuers, inverting the previous behavior. The order of values does not matter in practice.
Backwards incompatible changes
- The docker-compose setup requires at least docker-compose 1.27.0.
- The docker-compose setup now uses Redis 7.
- Drop support for cryptography 35.0.
- Drop support for acme 1.23, 1.24, 1.25 and 1.26.
- Drop support for Celery 5.0.
- Require django-object-actions 4.0 or higher.
- Remove the
--ca-crl
parameter inmanage.py dump_crl
(this was a left over and has been marked as deprecated since 1.12.0). - Drop
django-redis-cache
from theredis
extra, as the project is abandoned. Please switch to the built in redis cache instead. If you still use Django 3.2, please manually install the backend. ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION
was removed, use the identicalExtendedKeyUsageOID.KERBEROS_PKINIT_KDC
instead.
Deprecation notices
- This is the last release to support for Python 3.7.
- This is the last release to support Django 4.0.
- This is the last release to support cryptography 36.0.
- This is the last release to support acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.
- This is the last release to support Alpine 3.14 and 3.15.
- The
acme
extra will be removed in in the next release. - The
pre_issue_cert
is deprecated and will be removed indjango_ca==1.24.0
. Use the new pre_sign_cert signal instead. - The subject wrapper class
django_ca.subject.Subject
is deprecated and will be removed indjango-ca==1.24.0
. - Extension wrapper classes in
django_ca.extensions
are deprecated and will be removed indjango_ca==1.24.0
.