`django_ca.models` - django-ca models¶

django-ca uses three classes, called “models” in Django terminology, to store everything in the database. They are the core classes for this project, if you want to use this project programatically, you’ll have to use these classes:

CertificateAuthority is used to store certificate authorities.
Certificate is used to store certificates.
Finally, Watcher stores email addresses for who should be notified if certificates expire.

Note that both CertificateAuthority and Certificate inherit from X509CertMixin, which provides many common convenience methods.

CertificateAuthority¶

class django_ca.models.CertificateAuthority(id, created, valid_from, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, compromised, name, enabled, parent, private_key_path, crl_url, crl_number, issuer_url, ocsp_url, issuer_alt_name)[source]¶

property allows_intermediate_ca¶: Wether this CA allows creating intermediate CAs.

property bundle¶

A list of any parent CAs, including this CA.

The list is ordered so the Root CA will be the first.

generate_ocsp_key(profile='ocsp', expires=3, algorithm=None, password=None, key_size=None, key_type=None, ecc_curve=None, autogenerated=True)[source]¶

Generate OCSP keys for this CA.

Parameters

profilestr, optional: The profile to use for generating the certificate. The default is "ocsp".
expiresint or datetime, optional: Number of days or datetime when this certificate expires. The default is 3 (OCSP certificates are usually renewed frequently).
algorithmstr, optional: Passed to parse_hash_algorithm() and defaults to CA_DIGEST_ALGORITHM.
passwordbytes, optional: The password to the CA as bytes, if its private key is encrypted.
key_sizeint, optional: The key size of the private key, defaults to CA_DEFAULT_KEY_SIZE.
key_type{“RSA”, “DSA”, “ECC”}, optional: The private key type to use, the default is "RSA".
ecc_curvestr, optional: Passed to parse_key_curve(), defaults to the CA_DEFAULT_ECC_CURVE.
autogeneratedbool, optional: Set the “autogenerated” flag of the certificate. True by default, since this method is usually invoked in an automated cron-like fashion.

get_authority_key_identifier()[source]¶: Return the AuthorityKeyIdentifier extension used in certificates signed by this CA.

get_crl(expires=86400, algorithm=None, password=None, scope=None, counter=None, **kwargs)[source]¶

Generate a Certificate Revocation List (CRL).

The full_name and relative_name parameters describe how to retrieve the CRL and are used in the Issuing Distribution Point extension. The former defaults to the crl_url field, pass None to not include the value. At most one of the two may be set.

Parameters

expiresint: The time in seconds when this CRL expires. Note that you should generate a new CRL until then.
algorithmHash or str, optional: The hash algorithm to use, passed to parse_hash_algorithm(). The default is to use CA_DIGEST_ALGORITHM.
passwordbytes, optional: Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
scope{None, ‘ca’, ‘user’, ‘attribute’}, optional: What to include in the CRL: Use "ca" to include only revoked certificate authorities and "user" to include only certificates or None (the default) to include both. "attribute" is reserved for future use and always produces an empty CRL.
counterstr, optional: Override the counter-variable for the CRL Number extension. Passing the same key to multiple invocations will yield a different sequence then what would ordinarily be returned. The default is to use the scope as the key.
full_namelist of str or GeneralName, optional: List of general names to use in the Issuing Distribution Point extension. If not passed, use crl_url if set.
relative_nameRelativeDistinguishedName, optional: Used in Issuing Distribution Point extension, retrieve the CRL relative to the issuer.

Returns

bytes: The CRL in the requested format.

property max_pathlen¶

The maximum pathlen for any intermediate CAs signed by this CA.

This value is either None, if this and all parent CAs don’t have a pathlen attribute, or an int if any parent CA has the attribute.

name¶: Human-readable name of the CA, only used for displaying the CA.

property pathlen¶: The pathlen attribute of the BasicConstraints extension (either an int or None).

property root¶: Get the root CA for this CA.

Creating CAs¶

Use CertificateAuthority.objects.init() to create new certificate authorities. The method has many options but is designed to provide defaults that work in most cases:

>>> from django_ca.models import CertificateAuthority
>>> ca = CertificateAuthority.objects.init(
...   name='ca', subject='/CN=ca.example.com',
...   pathlen=1  # so we can create one level of intermediate CAs
... )
>>> ca
<CertificateAuthority: ca>

This CA will contain all properties and X509 extensions to be a fully functioning CA. To create an intermediate CA, simply pass the parent:

>>> child = CertificateAuthority.objects.init(
...   name='child', subject='/CN=child.example.com',
...   parent=ca)
>>> child.parent
<CertificateAuthority: ca>
>>> ca.children.all()
<CertificateAuthorityQuerySet [<CertificateAuthority: child>]>

Or to create a CA with all extensions that live CAs have, you can pass many more parameters:

>>> full = CertificateAuthority.objects.init(
...   name='full', subject='/CN=full.example.com',
...   parent=ca,  # some extensions are only valid for intermediate CAs
...   issuer_url='http://full.example.com/full.der',
...   # this CA can only sign for *.com domains:
...   name_constraints={'value': {'permitted': ['DNS:.com']}},
...
...   # CRL/OCSP URLs for signed certificates. These can be changed later:
...   crl_url=['http://full.example.com/full.crl', ],
...   ocsp_url='http://full.example.com/ocsp',
...
...   # CRL/OCSP/Issuer URLs for the CA. These are only meaningful for
...   # intermediate CAs:
...   ca_crl_url=['http://parent.example.com/parent.crl', ],
...   ca_ocsp_url='http://parent.example.com/ocsp',
...   ca_issuer_url='http://parent.example.com/parent.crt'
... )

There are some more parameters to configure how the CA will be signed:

>>> CertificateAuthority.objects.init(
...   name='props', subject='/CN=child.example.com',
...   algorithm='SHA256',  # sha512 would be the default
...   pathlen=3,  # three levels of intermediate CAs allowed,
...   password=b'foobar',  # encrypt private key with this password
...   key_size=4096,  # key size for RSA keys - unused in this example
...   key_type='ECC',  # create an ECC private key
...   ecc_curve='SECP256R1'
... )
<CertificateAuthority: props>

Here are all parameters for creating CAs:

CertificateAuthorityManager.init(name, subject, expires=None, algorithm=None, parent=None, default_hostname=None, pathlen=None, issuer_url=None, issuer_alt_name='', crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None, ecc_curve=None, key_type='RSA', key_size=None, extra_extensions=None, path='ca')[source]¶

Create a new certificate authority.

Parameters

namestr: The name of the CA. This is a human-readable string and is used for administrative purposes only.
subjectdict or str or Subject: Subject string, e.g. "/CN=example.com" or Subject("/CN=example.com"). The value is actually passed to Subject if it is not already an instance of that class.
expiresdatetime, optional: Datetime for when this certificate authority will expire, defaults to CA_DEFAULT_EXPIRES.
algorithmstr or HashAlgorithm, optional: Hash algorithm used when signing the certificate, passed to parse_hash_algorithm(). The default is the value of the CA_DIGEST_ALGORITHM setting.
parentCertificateAuthority, optional: Parent certificate authority for the new CA. Passing this value makes the CA an intermediate authority.
default_hostnamestr, optional: Override the url configured with CA_DEFAULT_HOSTNAME with a different hostname. Set to False to disable the hostname.
pathlenint, optional: Value of the path length attribute for the BasicConstraints extension.
issuer_urlstr: URL for the DER/ASN1 formatted certificate that is signing certificates.
issuer_alt_nameIssuerAlternativeName or str, optional: IssuerAlternativeName used when signing certificates. If the value is not an instance of IssuerAlternativeName, it will be passed as argument to the constructor of the class.
crl_urllist of str, optional: CRL URLs used for certificates signed by this CA.
ocsp_urlstr, optional: OCSP URL used for certificates signed by this CA. The default is no value, unless CA_DEFAULT_HOSTNAME is set.
ca_issuer_urlstr, optional: URL for the DER/ASN1 formatted certificate that is signing this CA. For intermediate CAs, this would usually be the issuer_url of the parent CA.
ca_crl_urllist of str, optional: CRL URLs used for this CA. This value is only meaningful for intermediate CAs.
ca_ocsp_urlstr, optional: OCSP URL used for this CA. This value is only meaningful for intermediate CAs. The default is no value, unless CA_DEFAULT_HOSTNAME is set.
name_constraintslist of lists or NameConstraints: List of names that this CA can sign and/or cannot sign. The value is passed to NameConstraints if the value is not already an instance of that class.
passwordbytes, optional: Password to encrypt the private key with.
parent_passwordbytes, optional: Password that the private key of the parent CA is encrypted with.
ecc_curvestr or EllipticCurve, optional: The elliptic curve to use for ECC type keys, passed verbatim to parse_key_curve().
key_type: str, optional: The type of private key to generate, must be one of "RSA", "DSA" or "ECC", with "RSA" being the default.
key_sizeint, optional: Integer specifying the key size, must be a power of two (e.g. 2048, 4096, …). Defaults to the CA_DEFAULT_KEY_SIZE, unused if key_type="ECC".
extra_extensionslist of cryptography.x509.Extension or django_ca.extensions.Extension, optional: An optional list of additional extensions to add to the certificate.
pathstr or pathlib.PurePath, optional: Where to store the CA private key (default ca).

Raises

ValueError: For various cases of wrong input data (e.g. key_size not being the power of two).
PermissionError: If the private key file cannot be written to disk.

Certificate¶

class django_ca.models.Certificate(id, created, valid_from, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, compromised, ca, csr, profile, autogenerated)[source]¶

property bundle¶: The complete certificate bundle. This includes all CAs as well as the certificates itself.

property root¶: Get the root CA for this certificate.

Manager methods¶

CertificateManager is the default manager for Certificate, meaning you can access it using Certificate.objects, e.g.:

>>> from django_ca.models import Certificate
>>> Certificate.objects.create_cert(csr=csr, ca=ca, subject='/CN=example.com')
<Certificate: example.com>

class django_ca.managers.CertificateManager(*args, **kwargs)[source]¶

create_cert(ca, csr, csr_format=<Encoding.PEM: 'PEM'>, profile=None, autogenerated=None, **kwargs)[source]¶

Create and sign a new certificate based on the given profile.

Parameters

caCertificateAuthority: The certificate authority to sign the certificate with.
csrstr or CertificateSigningRequest: A valid CSR. If not already a CertificateSigningRequest, the format is given by the csr_format parameter.
csr_formatEncoding, optional: The format of the CSR. The default is PEM.
profilestr or Profile, optional: The name of a profile or a manually created Profile instance. If not given, the profile configured by CA_DEFAULT_PROFILE is used.
autogeneratedbool, optional: Override the profiles autogenerated flag.
**kwargs: All other keyword arguments are passed to Profiles.create_cert().

X509CertMixin¶

X509CertMixin is a common base class to both CertificateAuthority and Certificate and provides many convenience attributes.

class django_ca.models.X509CertMixin(*args, **kwargs)[source]¶

authority_key_identifier¶: The AuthorityKeyIdentifier extension, or None if it doesn’t exist.

extended_key_usage¶: The ExtendedKeyUsage extension, or None if it doesn’t exist.

get_revocation_reason()[source]¶: Get the revocation reason of this certificate.

get_revocation_time()[source]¶

Get the revocation time as naive datetime.

Note that this method is only used by cryptography>=2.4.

property issuer¶: The certificate issuer field as Subject.

key_usage¶: The KeyUsage extension, or None if it doesn’t exist.

property not_after¶: Date/Time this certificate expires.

property not_before¶: Date/Time this certificate was created

property subject¶: The certificates subject as Subject.

subject_key_identifier¶: The SubjectKeyIdentifier extension, or None if it doesn’t exist.

tls_feature¶: The TLSFeature extension, or None if it doesn’t exist.

property x509¶: The underlying cryptography.x509.Certificate.

Watchers¶

class django_ca.models.Watcher(id, name, mail)[source]¶

django_ca.models - django-ca models¶

CertificateAuthority¶

Creating CAs¶

Certificate¶

Manager methods¶

X509CertMixin¶

Watchers¶

`django_ca.models` - django-ca models¶