Django-ca

Latest version: v2.0.0

Safety actively analyzes 682471 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 7

2.0.0

General

* Add (preliminary) support for storing private keys in a hardware security module (HSM). See [Key backends](https://django-ca.readthedocs.io/en/2.0.0/key_backends.html) for more information.

Command-line utilities

* Subjects are now parsed in the RFC 4514 format by default. Subjects in the OpenSSL-style format are still supported via the `--subject-format=openssl` option, but support for it will be removed in 2.0.0.
* Removed the `convert_timestamps` command (deprecated since 1.28.0).

Dependencies

* Add support for `Django~=5.1.0`, `cryptography~=43.0` and `pydantic~=2.8.0` and `pydantic~=2.9.0`.
* **BACKWARDS INCOMPATIBLE:** Dropped support for `pydantic<2.7.0`, `acme~=2.9.0` and `Celery~=5.3.0`.
* Remove the `psycopg3` pip extra, use the `postgres` extra instead.
* Drop support for Alpine 3.17.

Python API

* [django_ca.utils.parse_encoding](https://django-ca.readthedocs.io/en/2.0.0/python/utils.html#django_ca.utils.parse_encoding) no longer accepts an already parsed Encoding.
* `django_ca.utils.parse_expires()` and `django_ca.utils.parse_key_curve` where removed.
* [CertificateAuthorityManager.objects.init()](https://django-ca.readthedocs.io/en/2.0.0/python/models.html#django_ca.managers.CertificateAuthorityManager.init) no longer accepts `int` or `timedelta` for expires. Pass a timezone-aware object instead.
* [django_ca.profiles.Profile](https://django-ca.readthedocs.io/en/2.0.0/python/profiles.html#django_ca.profiles.Profile) no longer accepts unparsed extension values:

* An `int` for `expires` - pass a `timedelta` instead.
* A `str` or iterable of `str`-tuples for `subject` - pass a [cryptography.x509.Name](https://cryptography.io/en/stable/x509/reference/#cryptography.x509.Name) instead.
* Deprecated extensions formats in `extensions`.

Note that this does not affect configuration in settings, as these values are parsed before passed to this
class.

* [django_ca.profiles.Profile.create_cert](https://django-ca.readthedocs.io/en/2.0.0/python/profiles.html#django_ca.profiles.Profile.create_cert) no longer accepts `int` for expires. Pass a `timedelta` instead.

Docker/Docker Compose

* Update NGINX to 1.26.0.

Deprecation notices

* This will be the last release to support `pydantic~=2.7.0`, `pydantic~=2.8.0`, `cryptography~=42.0`
and `acme~=2.10.0`.
* `django_ca.utils.get_storage()` will be removed in 2.2.0.

1.29.0

See https://django-ca.readthedocs.io/en/latest/changelog/2024-07-01_1.29.0.html for changes.

1.28.0

> [!NOTE]
> django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see [RFC 4514 subjects](https://django-ca.readthedocs.io/en/latest/update.html#update-126-rfc4514-subjects) for migration information.

> [!NOTE]
> **Docker Compose users:** The PostgreSQL version was updated to PostgreSQL 16. See [PostgreSQL update](https://django-ca.readthedocs.io/en/latest/quickstart_docker_compose.html#postgresql-update) for update instructions.

Major changes

* Add support for `Django~=5.0`, `cryptography~=42`, `acme==2.8.0` and `acme==2.9.0`.
* **Docker Compose:** The PostgreSQL version was updated to PostgreSQL 16. See [PostgreSQL update](https://django-ca.readthedocs.io/en/latest/quickstart_docker_compose.html#postgresql-update) for update instructions.
* `pydantic>=2.5` is now a required dependency.
* Preparations for support for using Hardware Security Modules, "Key backend support" below.
* The `CA_FILE_STORAGE` and `CA_FILE_STORAGE_KWARGS` settings are deprecated in favor of [CA_KEY_BACKENDS](https://django-ca.readthedocs.io/en/latest/settings.html#settings-ca-key-backends) and will be removed in `django-ca==2.0`. Installations [as Django app](https://django-ca.readthedocs.io/en/latest/quickstart_as_app.html) must add a `"django-ca"` storage alias in their configuration.
* The [CA_PASSWORDS](https://django-ca.readthedocs.io/en/latest/settings.html#settings-ca-passwords) setting is now consistently used whenever required.
* Private keys (for CAs and OCSP responder certificates) are now stored as DER keys to improve loading speed.
* The admin interface now presents lists of general names (e.g. in the Subject Alternative Name extension) as a list of order-able key/value pairs when adding certificates.
* Extensions added by the CA when signing new certificates can now have the same complexity as when giving the extensions directly when signing the certificate:
* The `--sign-ca-issuer`, `--sign-ocsp-responder` and `--sign-issuer-alternative-name` options to `manage.py sign_cert` etc. now support any general name type and giving multiple general names.
* The CRL Distribution Points extension added to certificates may now be marked as critical via `--sign-crl-distribution-points-critical`.
* When editing a CA, the admin interface presents these fields in the same way as when signing a
certificate.
* Remove the option to add the Common Name to the Subject Alternative Name extension, as the result is unpredictable:
* The `manage.py sign_cert` `--cn-in-san` option was removed.
* The checkbox in the admin interface was removed.
* The profile option no longer has any effect and issues a warning.
* Add [Pydantic models for cryptography classes](https://django-ca.readthedocs.io/en/latest/python/pydantic.html). These are required for the REST API, but are also used internally for various places where serialization of objects is required.
* Support for configuring absolute paths for OCSP responder certificates in manual OCSP views was removed. This was a left over, it was deprecated and issued a warning since 2019.
* Fixed bash shortcut if installing from source to allow spaces (fixes 123).

Key backend support

This version adds support for "key backends", allowing you to store and use private keys in different places,
for example the file system or a Hardware Security Module (HSM). At present, the only backend available uses
the Django file storage API, usually storing private keys on the file system.

Future versions will add support for other ways to handle private keys, including HSMs.

REST API changes

> [!NOTE]
> The [REST API](https://django-ca.readthedocs.io/en/latest/rest_api.html) is still experimental and endpoints will change without notice.

The update to django-ninja 1.1 and Pydantic brings a general update on how extensions are represented. Any
code using the API will have to be updated.

* Update to `django-ninja==1.1.0`, including a full migration to Pydantic 2.
* The format of extensions now includes a `type` parameter indicating the extension type.
* Extension objects are now more in line with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) and no longer use arbitrary abbreviations.
* Extensions are now represented as a list.
* General names are now represented as an object, instead of string that has to be parsed.

Backwards incompatible changes

* **Docker Compose:** The PostgreSQL version was updated to PostgreSQL 16. See [PostgreSQL update](https://django-ca.readthedocs.io/en/latest/quickstart_docker_compose.html#postgresql-update) for update instructions.
* Drop support for `Django~=3.2`, `acme==1.26.0` and `Alpine~=3.16`.
* `django_ca.extensions.serialize_extension()` is removed and replaced by [Pydantic serialization](https://django-ca.readthedocs.io/en/latest/python/pydantic.html).

Deprecation notices

* This is the last release to support Python 3.8, `cryptography~=41.0`, `acme~=2.7.0` and `acme~=2.8.0`.
* The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
* Support for OpenSSL-style subjects will be removed in django-ca 2.2.
* `django_ca.extensions.parse_extension()` is deprecated and should not longer be used. Use Pydantic models instead.
* The `manage.py convert_timestamps` command will be removed in `django-ca==2.0`.
* The `CA_FILE_STORAGE` and `CA_FILE_STORAGE_KWARGS` settings are deprecated in favor of [CA_KEY_BACKENDS](https://django-ca.readthedocs.io/en/latest/settings.html#settings-ca-key-backends) and will be removed in `django-ca==2.0`.

1.27.0

**NOTE:** django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see
[RFC 4514 subjects](https://django-ca.readthedocs.io/en/1.27.0/update.html#update-126-rfc4514-subjects) for migration information.

* Add support for Python 3.12 and acme 2.7.0.
* Update the Docker image to use Alpine Linux 3.18 with Python 3.12.
* Add support for passing subjects in RFC 4514 format when creating certificate authorities and certificates via the `--subject-format=rfc4514` option. This format will become the default in django-ca 2.0.
* Support for subjects in OpenSSL-style format when creating certificate authorities and certificates is deprecated and will issue a warning. Support for this format will be removed in django-ca 2.2.
* [CA_DEFAULT_SUBJECT](https://django-ca.readthedocs.io/en/1.27.0/settings.html#settings-ca-default-subject), [subjects in profiles](https://django-ca.readthedocs.io/en/1.27.0/profiles.html#profiles-subject) and [CA_DEFAULT_NAME_ORDER](https://django-ca.readthedocs.io/en/1.27.0/settings.html#settings-ca-default-name-order) now also support a dotted string to include arbitrary object identifiers.
* [CA_DEFAULT_NAME_ORDER](https://django-ca.readthedocs.io/en/1.27.0/settings.html#settings-ca-default-name-order) can now be configured in YAML files.
* Do not implicitly sort the subject of new certificate authorities according to [CA_DEFAULT_NAME_ORDER](https://django-ca.readthedocs.io/en/1.27.0/settings.html#settings-ca-default-name-order). The user is expected to supply the correct order.
* When signing certificates via the command line, implicitly sort the subject only when the profile defines a subject and/or the CommonName is not given and added via the SubjectAlternativeName extension. If neither is the case, the user is expected to supply the correct order.

Backwards incompatible changes

* Removed support for the old `--issuer-url`, `--issuer-alt-name`, `--crl-url` and `--ocsp-url` options for `manage.py init_ca`, `manage.py edit_ca` and `manage.py import_ca` in favor of `--sign-ca-issuer`, `--sign-issuer-alternative-name`, `--sign-crl-full-name` and `--sign-ocsp-responder`.
* Support for non-standard algorithm names in profile settings was removed.
* Drop support for `Django==4.1`, `cryptography==40.x`, `acme==1.25.0` and `celery==5.2.x`.

Deprecation notices

* The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
* Support for OpenSSL-style subjects will be removed in django-ca 2.2.
* This is the last release to support Django 3.2.
* This is the last release to support acme 2.6.0.
* This is the last release to support Alpine 3.16.

REST API changes

**NOTE:** The [REST API](https://django-ca.readthedocs.io/en/1.27.0/rest_api.html) is still experimental and endpoints will change without notice.

* Certificate issuance is now asynchronous, similar to how certificates are issued via ACME. This enables using CAs where the private key is not directly available to the web server.
* The REST API must now be enabled explicitly for each certificate authority. This can be done via the admin interface or the `--enable-api` flag for `manage.py init_ca`, `manage.py edit_ca` and `manage.py import_ca`.

1.26.0

* Support for `cryptography==39` and `acme==2.4.0` (other versions may removed depending on release time).
* Support for using `ECC` and `EdDSA` as key type. Use `EC` and `Ed25519` instead.
* The `--pathlen` and `--no-pathlen` parameters to `manage.py init_ca` will be removed. Use `--path-length` and `--no-path-length` instead.
* Support for coma-separated lists in `--key-usage`, `--extended-key-usage` and `--tls-feature`. Use lists instead (e.g. `--key-usage keyAgreement keyEncipherment` instead of `--key usagekeyAgreement,keyEncipherment`.
* Support for non-standard TLS feature names "OCSPMustStaple" and "MultipleCertStatusRequest". Use `status_request` and `status_request_v2` instead.

1.25.0

* This is the last release to support acme 2.3.0 and cryptography 38 (cryptography 37 is still supported, see [Warning: cryptography version 38](https://django-ca.readthedocs.io/en/1.24.0/quickstart_as_app.html#cryptography-38-warning)).
* Support for the `CA_DIGEST_ALGORITHM` setting, use `CA_DEFAULT_SIGNATURE_HASH_ALGORITHM` instead.
* Support for the `CA_DEFAULT_ECC_CURVE` setting, use `CA_DEFAULT_ELLIPTIC_CURVE` instead.
* Support for non-standard algorithm names (e.g. `sha512`, use `SHA-512` instead).
* Support for non-standard elliptic key curve names (e.g. `SECP384R1`, use `secp384r1` instead).

Page 1 of 7

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.