REST API¶
Warning
This feature is still experimental, incomplete and will change without any advance notice.
django-ca provides an optional REST API based on Django Ninja. It allows you to list certificate authorities and certificates,
as well as sign and revoke certificates. The API is available at the /api/
sub path. So if you
installed django-ca at https://example.com/django-ca/, the API is available at
https://example.com/django-ca/api/, with Open API documentation available at
https://example.com/django-ca/api/docs/.
The API is disabled by default and depending how you installed django-ca, you might have to install additional dependencies manually.
Installation¶
The REST API requires the api
extra to be installed.
For example, if you use django-ca as Django app, simply install it with:
$ pip install django-ca[api]
The Docker image already has everything installed, so you don’t need to take any extra steps if you use Docker or Docker Compose.
Enable the API¶
To enable the API, you need to set the CA_ENABLE_REST_API setting to True
.
API documentation¶
You can always view the API documentation of your current django-ca version by viewing
https://example.com/django-ca/api/docs/. You can also download the current openapi.json
directly.
Below is the documentation for the current version (note that responses are currently not rendered due to this bug):
- GET /django_ca/api/ca/¶
List available certificate authorities
Retrieve a list of currently usable certificate authorities.
- Query Parameters:
expired (boolean) – Include expired CAs.
- Status Codes:
200 OK – OK
- GET /django_ca/api/ca/{serial}/¶
View certificate authority
Retrieve details of the certificate authority with the given serial.
- Parameters:
serial (string) –
- Status Codes:
200 OK – OK
- PUT /django_ca/api/ca/{serial}/¶
Update certificate authority
Update a certificate authority.
All request body fields are optional, so you can also update only individual fields.
- Parameters:
serial (string) –
- Status Codes:
200 OK – OK
- POST /django_ca/api/ca/{serial}/sign/¶
Sign a certificate
Sign a certificate.
The extensions value is completely optional and allows you to add additional extensions to the certificate. Usually extensions are defined either by the CA or by the named profile.
- Parameters:
serial (string) –
- Status Codes:
200 OK – OK
- GET /django_ca/api/ca/{serial}/certs/¶
List certificates
Retrieve certificates signed by the certificate authority named by serial.
- Parameters:
serial (string) –
- Query Parameters:
autogenerated (boolean) – Include auto-generated certificates (e.g. OCSP responder certificates).
expired (boolean) – Include expired certificates.
profile (string) – Only return certificates generated with the given profile.
revoked (boolean) – Include revoked certificates.
- Status Codes:
200 OK – OK
Utility functions¶
- django_ca.api.utils.create_api_user(username: str, password: str, view_certificateauthority: bool = True, change_certificateauthority: bool = True, sign_certificate: bool = True, view_certificate: bool = True, revoke_certificate: bool = True, **extra_fields: Any) User [source]¶
Create an API user capable of using the REST API.
By default, the user will be able to perform all actions provided by the API.
Note that unlike
create_user()
, the password argument is the second argument and mandatory. You can still pass an email address as keyword argument.>>> create_api_user("username", "password", revoke_certificate=False, email="user@example.com")
- Parameters:
- usernamestr
The username for the API user.
- passwordstr
The password for the API user.
- view_certificateauthoritybool, optional
If the user is able to list/view certificate authorities via the API.
- change_certificateauthoritybool, optional
If the user is able to update certificate authorities via the API.
- sign_certificatebool, optional
If the user is able to sign new certificates via the API.
- view_certificatebool, optional
If the user is able to list/view existing certificates via the API.
- revoke_certificatebool, optional
If the user is able to revoke certificates via the API.
- **extra_fields
Any additional keyword arguments are passed to
create_user()
.