Custom settings

You can use any of the settings understood by Django and django-ca provides some of its own settings.

From Djangos settings, you especially need to configure DATABASES, SECRET_KEY, ALLOWED_HOSTS and STATIC_ROOT.

All settings used by django-ca start with the CA_ prefix. Settings are also documented at ca/ca/localsettings.py.example (view on git).

CA_CUSTOM_APPS

Default: []

This setting is only used when you use django-ca as a standalone project to let you add custom apps to the project, e.g. to add Signals.

The list gets appended to the standard INSTALLED_APPS setting. If you need more control, you can always override that setting instead.

CA_DEFAULT_ECC_CURVE

Default: "SECP256R1"

The default elliptic curve used for generating CA private keys when ECC is used.

CA_DEFAULT_EXPIRES

Default: 730

The default time, in days, that any signed certificate expires.

CA_DEFAULT_KEY_SIZE

Default: 4096

The default key size for newly created CAs (not used for CAs based on ECC).

CA_DEFAULT_PROFILE

Default: webserver

The default profile to use.

CA_DEFAULT_SUBJECT

Default: {}

The default subject to use. The keys of this dictionary are the valid fields in X509 certificate subjects. Example:

CA_DEFAULT_SUBJECT = {
   'C': 'AT',
   'ST': 'Vienna',
   'L': 'Vienna',
   'O': 'HTU Wien',
   'OU': 'Fachschaft Informatik',
   'emailAddress': 'user@example.com',
}
CA_DIGEST_ALGORITHM

Default: "sha512"

The default digest algorithm used to sign certificates. You may want to use "sha256" for older (pre-2010) clients. Note that this setting is also used by the init_ca command, so if you have any clients that do not understand sha512 hashes, you should change this beforehand.

CA_DIR

Default: "files/"

Where the root certificate is stored. The default is a files directory in the same location as your manage.py file.

CA_FILE_STORAGE

Default: 'django.core.files.storage.FileSystemStorage'

Default storage backend for files created by django-ca. The default is the same as the default for DEFAULT_FILE_STORAGE, so django-ca will still use local filesystem storage even if you configure a different storage backend in DEFAULT_FILE_STORAGE. The default uses CA_FILE_STORAGE_KWARGS to store files in a different location, since the default (MEDIA_ROOT) is commonly used to upload user-generated files that are exposed to the web by the webserver.

CA_FILE_STORAGE_KWARGS

Default: {'location': 'files/', 'file_permissions_mode': 0o600, 'directory_permissions_mode': 0o700}

Add any arguments to the storage backend configured in CA_FILE_STORAGE.

CA_NOTIFICATION_DAYS

Default: [14, 7, 3, 1, ]

Days before expiry that certificate watchers will receive notifications. By default, watchers will receive notifications 14, seven, three and one days before expiry.

CA_OCSP_URLS

Default: {}

Configuration for OCSP responders. See Run a OCSP responder for more information.

CA_PROFILES

Default: {}

Profiles determine the default values for the keyUsage, extendedKeyUsage x509 extensions. In short, they determine how your certificate can be used, be it for server and/or client authentication, e-mail signing or anything else. By default, django-ca provides these profiles:

Profile

keyUsage

extendedKeyUsage

client

digitalSignature

clientAuth

server

digitalSignature, keyAgreement keyEncipherment

clientAuth, serverAuth

webserver

digitalSignature, keyAgreement keyEncipherment

serverAuth

enduser

dataEncipherment, digitalSignature, keyEncipherment

clientAuth, emailProtection, codeSigning

ocsp

nonRepudiation, talSignature, keyEncipherment

OCSPSigning

Further more,

  • The keyUsage attribute is marked as critical.

  • The extendedKeyUsage attribute is marked as non-critical.

This should be fine for most usecases. But you can use the CA_PROFILES setting to either update or disable existing profiles or add new profiles that you like. For that, set CA_PROFILES to a dictionary with the keys defining the profile name and the value being either:

  • None to disable an existing profile.

  • A dictionary defining the profile. If the name of the profile is an existing profile, the dictionary is updated, so you can ommit a value to leave it as the default. The possible keys are:

    key

    Description

    "keyUsage"

    The keyUsage X509 extension.

    "extendedKeyUsage"

    The extendedKeyUsage X509 extension.

    "desc"

    A human-readable description, shows up with “sing_cert -h” and in the webinterface profile selection.

    "subject"

    The default subject to use. If ommited, CA_DEFAULT_SUBJECT is used.

    "cn_in_san"

    If to include the CommonName in the subjectAltName by default. The default value is True.

    "ocsp_no_check"

    Set to True to include the OCSPNoCheck flag. Only makes sense for OCSP responder certificates.

Here is a full example:

CA_PROFILES = {
    'client': {
        'desc': _('Nice description.'),
        'keyUsage': {
            'critical': True,
            'value': [
               'digitalSignature',
            ],
        },
        'extendedKeyUsage': {
            'critical': False,
            'value': [
               'clientAuth',
            ],
         },
         'subject': {
            'C': 'AT',
            'L': 'Vienna',
         }
     },

     # We really don't like the "ocsp" profile, so we remove it.
     'ocsp': None,
}
CA_PROVIDE_GENERIC_CRL

Default: True

If set to False, django_ca.urls will not add a CRL view. See Use generic view to host a CRL for more information.

This setting only has effect if you use django_ca as a full project or you include the django_ca.urls module somewhere in your URL configuration.