`django_ca.models` - django-ca models¶

Note that both CertificateAuthority and Certificate inherit from X509CertMixin, which provides many convenience methods.

CertificateAuthority¶

class django_ca.models.CertificateAuthority(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)[source]¶

allows_intermediate_ca¶: Wether this CA allows creating intermediate CAs.

bundle¶

A list of any parent CAs, including this CA.

The list is ordered so the Root CA will be the first.

max_pathlen¶

The maximum pathlen for any intermediate CAs signed by this CA.

This value is either None, if this and all parent CAs don’t have a pathlen attribute, or an int if any parent CA has the attribute.

name¶: Human-readable name of the CA, only used for displaying the CA.

pathlen¶: The pathlen attribute of the BasicConstraints extension (either an int or None).

Manager methods¶

CertificateAuthorityManager is the default manager for CertificateAuthority, meaning you can access it using CertificateAuthority.objects, e.g.:

>>> from django_ca.models import CertificateAuthority
>>> CertificateAuthority.objects.init(...)

class django_ca.managers.CertificateAuthorityManager[source]¶

init(name, subject, expires=None, algorithm=None, parent=None, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None, ecc_curve=None, key_type='RSA', key_size=None)[source]¶

Create a new certificate authority.

Parameters:

name : str: The name of the CA. This can be a human-readable string and is used for administrative purposes only.
algorithm : str or HashAlgorithm, optional: Hash algorithm used when signing the certificate. If a string is passed, it must be the name of one of the hashes in hashes, e.g. "SHA512". This method also accepts instances of HashAlgorithm, e.g. SHA512. The default is the CA_DIGEST_ALGORITHM setting.
subject : Subject: Subject string, e.g. Subject("/CN=example.com").
expires : datetime, optional: Datetime for when this certificate authority will expire, defaults to the CA_DEFAULT_EXPIRES setting.
parent : CertificateAuthority, optional: Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.
pathlen : int, optional
password : bytes, optional: Password to encrypt the private key with.
parent_password : bytes, optional: Password that the private key of the parent CA is encrypted with.
ecc_curve : str or EllipticCurve, optional: The elliptic curve to use for ECC type keys, passed verbatim to parse_key_curve().
key_type: str, optional: The type of private key to generate, must be one of "RSA", "DSA" or "ECC", with "RSA" being the default.
key_size : int, optional: Integer specifying the key size, must be a power of two (e.g. 2048, 4096, …) unused if key_type="ECC" but required otherwise.

Raises:

ValueError: For various cases of wrong input data (e.g. key_size not being the power of two).
PermissionError: If the private key file cannot be written to disk.

Certificate¶

class django_ca.models.Certificate(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, ca, csr)[source]¶

bundle¶: The complete certificate bundle. This includes all CAs as well as the certificates itself.

Manager methods¶

CertificateManager is the default manager for Certificate, meaning you can access it using Certificate.objects, e.g.:

>>> from django_ca.models import Certificate
>>> Certificate.objects.init(...)

class django_ca.managers.CertificateManager[source]¶

init(ca, csr, **kwargs)[source]¶

Create a signed certificate from a CSR and store it to the database.

All parameters are passed on to Certificate.objects.sign_cert().

sign_cert(ca, csr, expires=None, algorithm=None, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, key_usage=None, extended_key_usage=None, tls_feature=None, password=None)[source]¶

Create a signed certificate from a CSR.

PLEASE NOTE: This function creates the raw certificate and is usually not invoked directly. It is called by Certificate.objects.init(), which passes along all parameters unchanged and saves the raw certificate to the database.

Parameters:

ca : CertificateAuthority: The certificate authority to sign the certificate with.
csr : str: A valid CSR. The format is given by the csr_format parameter.
expires : datetime, optional: Datetime for when this certificate will expire, defaults to the CA_DEFAULT_EXPIRES setting.
algorithm : str or HashAlgorithm, optional: Hash algorithm used when signing the certificate. If a string is passed, it must be the name of one of the hashes in hashes, e.g. "SHA512". This method also accepts instances of HashAlgorithm, e.g. SHA512. The default is the CA_DIGEST_ALGORITHM setting.
subject : Subject, optional: The Subject to use in the certificate. If this value is not passed or if the value does not contain a CommonName, the first value of the subjectAltName parameter is used as CommonName.
cn_in_san : bool, optional: Wether the CommonName should also be included as subjectAlternativeName. The default is True, but the parameter is ignored if no CommonName is given. This is typically set to False when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.
csr_format : Encoding, optional: The format of the CSR. The default is PEM.
subjectAltName : list of str, optional: A list of values for the subjectAltName extension. Values are passed to parse_general_name(), see function documentation for how this value is parsed.
key_usage : KeyUsage, optional: Value for the keyUsage X509 extension.
extended_key_usage : ExtendedKeyUsage, optional: Value for the extendedKeyUsage X509 extension.
tls_feature : TLSFeature, optional: Value for the TLSFeature X509 extension.
password : bytes, optional: Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.

Returns:

cryptography.x509.Certificate: The signed certificate.

X509CertMixin¶

X509CertMixin is a common base class to both CertificateAuthority and Certificate and provides many convenience attributes.

class django_ca.models.X509CertMixin(*args, **kwargs)[source]¶

authority_key_identifier¶: The AuthorityKeyIdentifier extension, or None if it doesn’t exist.

extended_key_usage¶: The ExtendedKeyUsage extension, or None if it doesn’t exist.

issuer¶: The certificate issuer field as Subject.

key_usage¶: The KeyUsage extension, or None if it doesn’t exist.

not_after¶: Date/Time this certificate expires.

not_before¶: Date/Time this certificate was created

subject¶: The certificates subject as Subject.

subject_key_identifier¶: The SubjectKeyIdentifier extension, or None if it doesn’t exist.

tls_feature¶: The TLSFeature extension, or None if it doesn’t exist.

x509¶: The underlying cryptography.x509.Certificate.

django_ca.models - django-ca models¶

CertificateAuthority¶

Manager methods¶

Certificate¶

Manager methods¶

X509CertMixin¶

`django_ca.models` - django-ca models¶