django_ca.models
- django-ca models¶
CertificateAuthority¶
-
class
django_ca.models.
CertificateAuthority
(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)[source]¶ -
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
allows_intermediate_ca
¶ Wether this CA allows creating intermediate CAs.
-
exception
Manager methods¶
-
class
django_ca.managers.
CertificateAuthorityManager
[source]¶ -
init
(name, key_size, key_type, algorithm, expires, parent, subject, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None)[source]¶ Create a new certificate authority.
Parameters: - key_size : int
Integer, must be a power of two (e.g. 2048, 4096, …)
- key_type: str, optional
Either
"RSA"
or"DSA"
for a RSA or DSA key, with"RSA"
being the default.- algorithm :
HashAlgorithm
Hash algorithm used when signing the certificate. Must be an instance of
HashAlgorithm
, e.g.SHA512
.- expires : datetime
Datetime for when this certificate expires.
- parent :
CertificateAuthority
, optional Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.
- subject : str
Subject string, e.g.
"/CN=example.com"
.- pathlen : int, optional
- password : bytes, optional
Password to encrypt the private key with.
- parent_password : bytes, optional
Password that the private key of the parent CA is encrypted with.
-
Certificate¶
-
class
django_ca.models.
Certificate
(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, ca, csr)[source]¶ -
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
exception
Manager methods¶
-
class
django_ca.managers.
CertificateManager
[source]¶ -
sign_cert
(ca, csr, expires, algorithm, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, keyUsage=None, extendedKeyUsage=None, tls_features=None, password=None)[source]¶ Create a signed certificate from a CSR.
X509 extensions (key_usage, ext_key_usage) may either be None (in which case they are not added) or a tuple with the first value being a bool indicating if the value is critical and the second value being a byte-array indicating the extension value. Example:
(True, b'value')
Parameters: - ca :
CertificateAuthority
The certificate authority to sign the certificate with.
- csr : str
A valid CSR. The format is given by the
csr_format
parameter.- expires : int
When the certificate should expire (passed to
get_cert_builder()
).- algorithm : {‘sha512’, ‘sha256’, …}
Algorithm used to sign the certificate. The default is the CA_DIGEST_ALGORITHM setting.
- subject : dict, optional
The Subject to use in the certificate. The keys of this dict are the fields of an X509 subject, that is “C”, “ST”, “L”, “OU” and “CN”. If ommited or if the value does not contain a “CN” key, the first value of the subjectAltName parameter is used as CommonName (and is obviously mandatory in this case).
- cn_in_san : bool, optional
Wether the CommonName should also be included as subjectAlternativeName. The default is True, but the parameter is ignored if no CommonName is given. This is typically set to False when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.
- csr_format :
Encoding
, optional The format of the CSR. The default is
PEM
.- subjectAltName : list of str, optional
A list of values for the subjectAltName extension. Values are passed to
parse_general_name()
, see function documentation for how this value is parsed.- keyUsage : tuple or None
Value for the keyUsage X509 extension. See description for format details.
- extendedKeyUsage : tuple or None
Value for the extendedKeyUsage X509 extension. See description for format details.
- tls_features : tuple
Value for the TLS Feature X509 extension. See description for format details.
- password : bytes, optional
Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
Returns: - cryptography.x509.Certificate
The signed certificate.
- ca :
-