django_ca.models - django-ca models

CertificateAuthority

class django_ca.models.CertificateAuthority(id, created, expires, pub, cn, serial, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)[source]

Manager methods

class django_ca.managers.CertificateAuthorityManager[source]
init(name, key_size, key_type, algorithm, expires, parent, subject, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None)[source]

Create a new certificate authority.

key_size : int
Integer, must be a power of two (e.g. 2048, 4096, ...)
key_type: str, optional
Either "RSA" or "DSA" for a RSA or DSA key, with "RSA" being the default.
algorithm : HashAlgorithm
Hash algorithm used when signing the certificate. Must be an instance of HashAlgorithm, e.g. SHA512.
expires : datetime
Datetime for when this certificate expires.
parent : CertificateAuthority, optional
Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.
subject : str
Subject string, e.g. "/CN=example.com".

pathlen : int, optional password : bytes, optional

Password to encrypt the private key with.
parent_password : bytes, optional
Password that the private key of the parent CA is encrypted with.

Certificate

class django_ca.models.Certificate(id, created, expires, pub, cn, serial, ca, csr, revoked, revoked_date, revoked_reason)[source]
get_revocation()[source]

Get a crypto.Revoked object or None if the cert is not revoked.

Manager methods

class django_ca.managers.CertificateManager[source]
sign_cert(ca, csr, expires, algorithm, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, keyUsage=None, extendedKeyUsage=None, password=None)[source]

Create a signed certificate from a CSR.

X509 extensions (key_usage, ext_key_usage) may either be None (in which case they are not added) or a tuple with the first value being a bool indicating if the value is critical and the second value being a byte-array indicating the extension value. Example:

(True, b'value')
ca : CertificateAuthority
The certificate authority to sign the certificate with.
csr : str
A valid CSR. The format is given by the csr_format parameter.
expires : int
When the certificate should expire (passed to get_cert_builder()).
algorithm : {‘sha512’, ‘sha256’, ...}
Algorithm used to sign the certificate. The default is the CA_DIGEST_ALGORITHM setting.
subject : dict, optional
The Subject to use in the certificate. The keys of this dict are the fields of an X509 subject, that is “C”, “ST”, “L”, “OU” and “CN”. If ommited or if the value does not contain a “CN” key, the first value of the subjectAltName parameter is used as CommonName (and is obviously mandatory in this case).
cn_in_san : bool, optional
Wether the CommonName should also be included as subjectAlternativeName. The default is True, but the parameter is ignored if no CommonName is given. This is typically set to False when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.
csr_format : Encoding, optional
The format of the CSR. The default is PEM.
subjectAltName : list of str, optional
A list of values for the subjectAltName extension. Values are passed to parse_general_name(), see function documentation for how this value is parsed.
keyUsage : tuple or None
Value for the keyUsage X509 extension. See description for format details.
extendedKeyUsage : tuple or None
Value for the extendedKeyUsage X509 extension. See description for format details.
password : bytes, optional
Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
cryptography.x509.Certificate
The signed certificate.