django_ca.models - django-ca models

CertificateAuthority

class django_ca.models.CertificateAuthority(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)

exception DoesNotExist

exception MultipleObjectsReturned

allows_intermediate_ca

Wether this CA allows creating intermediate CAs.

Manager methods

class django_ca.managers.CertificateAuthorityManager

init(name, key_size, key_type, algorithm, expires, parent, subject, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None)

Create a new certificate authority.

Parameters:

key_size : int

Integer, must be a power of two (e.g. 2048, 4096, …)

key_type: str, optional

Either "RSA" or "DSA" for a RSA or DSA key, with "RSA" being the default.

algorithm : HashAlgorithm

Hash algorithm used when signing the certificate. Must be an instance of HashAlgorithm, e.g. SHA512.

expires : datetime

Datetime for when this certificate expires.

parent : CertificateAuthority, optional

Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.

subject : Subject

Subject string, e.g. Subject("/CN=example.com").

pathlen : int, optional

password : bytes, optional

Password to encrypt the private key with.

parent_password : bytes, optional

Password that the private key of the parent CA is encrypted with.

Certificate

class django_ca.models.Certificate(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, ca, csr)

exception DoesNotExist

exception MultipleObjectsReturned

Manager methods

class django_ca.managers.CertificateManager

sign_cert(ca, csr, expires, algorithm, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, keyUsage=None, extendedKeyUsage=None, tls_features=None, password=None)

Create a signed certificate from a CSR.

X509 extensions (key_usage, ext_key_usage) may either be None (in which case they are not added) or a tuple with the first value being a bool indicating if the value is critical and the second value being a byte-array indicating the extension value. Example:

(True, b'value')

Parameters:

ca : CertificateAuthority

The certificate authority to sign the certificate with.

csr : str

A valid CSR. The format is given by the csr_format parameter.

expires : int

When the certificate should expire (passed to get_cert_builder()).

algorithm : {‘sha512’, ‘sha256’, …}

Algorithm used to sign the certificate. The default is the CA_DIGEST_ALGORITHM setting.

subject : dict, optional

The Subject to use in the certificate. The keys of this dict are the fields of an X509 subject, that is “C”, “ST”, “L”, “OU” and “CN”. If ommited or if the value does not contain a “CN” key, the first value of the subjectAltName parameter is used as CommonName (and is obviously mandatory in this case).

cn_in_san : bool, optional

Wether the CommonName should also be included as subjectAlternativeName. The default is True, but the parameter is ignored if no CommonName is given. This is typically set to False when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.

csr_format : Encoding, optional

The format of the CSR. The default is PEM.

subjectAltName : list of str, optional

A list of values for the subjectAltName extension. Values are passed to parse_general_name(), see function documentation for how this value is parsed.

keyUsage : tuple or None

Value for the keyUsage X509 extension. See description for format details.

extendedKeyUsage : tuple or None

Value for the extendedKeyUsage X509 extension. See description for format details.

tls_features : tuple

Value for the TLS Feature X509 extension. See description for format details.

password : bytes, optional

Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.

Returns:

cryptography.x509.Certificate

The signed certificate.