django_ca.models
- django-ca models¶
CertificateAuthority¶
-
class
django_ca.models.
CertificateAuthority
(id, created, expires, pub, cn, serial, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)[source]¶
Manager methods¶
-
class
django_ca.managers.
CertificateAuthorityManager
[source]¶ -
init
(name, key_size, key_type, algorithm, expires, parent, subject, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None)[source]¶ Create a new certificate authority.
- key_size : int
- Integer, must be a power of two (e.g. 2048, 4096, ...)
- key_type: str, optional
- Either
"RSA"
or"DSA"
for a RSA or DSA key, with"RSA"
being the default. - algorithm :
HashAlgorithm
- Hash algorithm used when signing the certificate. Must be an instance of
HashAlgorithm
, e.g.SHA512
. - expires : datetime
- Datetime for when this certificate expires.
- parent :
CertificateAuthority
, optional - Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.
- subject : str
- Subject string, e.g.
"/CN=example.com"
.
pathlen : int, optional password : bytes, optional
Password to encrypt the private key with.- parent_password : bytes, optional
- Password that the private key of the parent CA is encrypted with.
-
Certificate¶
-
class
django_ca.models.
Certificate
(id, created, expires, pub, cn, serial, ca, csr, revoked, revoked_date, revoked_reason)[source]¶
Manager methods¶
-
class
django_ca.managers.
CertificateManager
[source]¶ -
sign_cert
(ca, csr, expires, algorithm, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, keyUsage=None, extendedKeyUsage=None, password=None)[source]¶ Create a signed certificate from a CSR.
X509 extensions (key_usage, ext_key_usage) may either be None (in which case they are not added) or a tuple with the first value being a bool indicating if the value is critical and the second value being a byte-array indicating the extension value. Example:
(True, b'value')
- ca :
CertificateAuthority
- The certificate authority to sign the certificate with.
- csr : str
- A valid CSR. The format is given by the
csr_format
parameter. - expires : int
- When the certificate should expire (passed to
get_cert_builder()
). - algorithm : {‘sha512’, ‘sha256’, ...}
- Algorithm used to sign the certificate. The default is the CA_DIGEST_ALGORITHM setting.
- subject : dict, optional
- The Subject to use in the certificate. The keys of this dict are the fields of an X509 subject, that is “C”, “ST”, “L”, “OU” and “CN”. If ommited or if the value does not contain a “CN” key, the first value of the subjectAltName parameter is used as CommonName (and is obviously mandatory in this case).
- cn_in_san : bool, optional
- Wether the CommonName should also be included as subjectAlternativeName. The default is True, but the parameter is ignored if no CommonName is given. This is typically set to False when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.
- csr_format :
Encoding
, optional - The format of the CSR. The default is
PEM
. - subjectAltName : list of str, optional
- A list of values for the subjectAltName extension. Values are passed to
parse_general_name()
, see function documentation for how this value is parsed. - keyUsage : tuple or None
- Value for the keyUsage X509 extension. See description for format details.
- extendedKeyUsage : tuple or None
- Value for the extendedKeyUsage X509 extension. See description for format details.
- password : bytes, optional
- Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
- cryptography.x509.Certificate
- The signed certificate.
- ca :
-