1.13.0 (2019-07-14)

• Add support for cryptography 2.7.
• Moved setup.py recreate_fixtures to recreate-fixtures.py.
• Moved all other extra setup.py commands to dev.py to remove clutter.
• Move fab init_demo to dev.py init-demo.
• Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography documentation also suggests OpenSSL.
• The Fabric file has been removed.
• Remove the CA_PROVIDE_GENERIC_CRL setting, the default URL configuration now includes it.
• The docker image is now based on Alpine Linux 3.10.
• BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.2.
• BACKWARDS INCOMPATIBLE: Drop support for idna 2.6.

Deprecation Notices

• This is the last release to support cryptography 2.3 and 2.4.
• This is the last release to support idna 2.7.
• This is the last release to support OCSP using oscrypto/ocspbuilder.
• CertificateRevocationListView.ca_cr is deprecated in favor of the scope parameter. If you have set ca_crl=True just set scope="ca" instead.
• A new more extendable format for the CA_PROFILES setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.

Extensions

• Implement the CRLDistributionPoints extension and CertificatePolicies extension.
• Add the ipsecEndSystem, ipsecTunnel and ipsecUser extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
• Extensions now consistently serialize to dictionaries.

Command-line interface

• The view_ca command will now display the full path to the private key, if possible.
• The migrate_ca command now has a --dry parameter and has a updated help texts.
• The new regenerate_ocsp_keys command allows you to automatically generate OCSP keys that are used by the new default OCSP views.

Python API

• Add the root property to CAs and certificates returning the root Certificate Authority.
• sign_cert() now also accepts a CertificateSigningRequest as csr value.
• Add the issuer_url, crl_url, ocsp_url and issuer_alternative_name parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions parameter.
• Add the get_crl() function to get a CRL for the CA.
• Add the generate_ocsp_key() function to generate OCSP keys
  that are automatically picked up by the generic OCSP views.
• Both CertificateAuthority and Certificate now have a root property pointing to the Root CA.

OCSP

• The CA_DEFAULT_HOSTNAME setting is now used to set generic OCSP urls by default.
• The dump_ocsp_index management command now excludes certificates expired for more then a day or are not yet valid.

CRLs

• Issued CRLs now confirm to RFC 5280:

  • Add the CRL Number extension.
  • Add the Authority Key Identifier extension.

• Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5.

• Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.

• CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).

• Expose an API for creating CRLs via CertificateAuthority.get_crl().