################## 2.4.0 (2025-09-28) ################## * OCSP responder certificates now have an empty subject. * Fix configuring CRL reasons for CRL distribution points for signing certificates. * Update the default Docker image to be based on Debian 13 (Trixie). ************ Command-line ************ * :command:`manage.py init_ca`, :command:`manage.py view_ca`, :command:`manage.py sign_cert` and :command:`manage.py view_cert` now output data in a unified way. They can now output the certificate data as PEM, DER, text or JSON (identical to REST API output), or just the serial (to use in further commands). * :command:`manage.py dump_ca` and :command:`manage.py dump_cert` are deprecated and will be removed in ``django-ca~=2.6.0``. Use ``view_{ca,cert} --output-format {pem,der}`` instead. * **BACKWARDS INCOMPATIBLE:** :command:`manage.py regenerate_ocsp_keys`: Removed the ``--key-type``, ``--key-size``, ``--elliptic-curve``, ``--profile``, ``algorithm`` and ``--expires`` parameters (deprecated since ``django-ca~=2.3.0``). * :command:`manage.py sign_cert`: * **BACKWARDS INCOMPATIBLE:** The ``--out`` option was removed. Simply pipe stdout instead. * :command:`manage.py resign_cert`: * **BACKWARDS INCOMPATIBLE:** :command:`manage.py resign_cert`: Removed the ``--ca``, ``--subject``, ``--profile``, ``--algorithm``, ``--ocsp-responder``, ``--ca-issuer``, ``--policy-identifier``, ``--certification-practice-statement``, ``--user-notice``, ``--crl-full-name``, ``--issuer-alternative-name``, ``--extended-key-usage``, ``--key-usage``, ``--ocsp-no-check``, ``--subject-alternative-name`` and ``--tls-feature``, as well as all arguments to mark extensions as (not) critical (deprecated since ``django-ca~=2.3.0``). If you want to resign a certificate with other parameters, simply sign a new one with the same CSR. * Do not copy the IssuerAlternativeName and FreshestCRL extensions from the source certificate (the certificate authority should provide it instead). * Unrecognized extensions (those not supported by cryptography) are now copied over verbatim from the source certificate. ******** REST API ******** * **BACKWARDS INCOMPATIBLE:** The data returned when fetching certificate authorities or certificates has changed to match the JSON data returned by the various ``manage.py`` commands. * Implement endpoint to fetch profiles (fixes `#168 `_). * Fix internal server error (HTTP 500) when authenticating with a user that does not exist. *************** Admin interface *************** * Fix clearing/updating extensions when a new certificate authority is selected while signing certificates. ************ Dependencies ************ * **BACKWARDS INCOMPATIBLE:** Dropped support for ``pydantic~=2.10.0``. * **BACKWARDS INCOMPATIBLE:** Dropped support for ``acme~=3.2.0``, ``acme~=3.3.0`` and ``acme~=4.0.0``. * Add support for ``cryptography~=46.0``. * Add support for ``acme~=4.2.0``, ``acme~=5.0.0`` and ``josepy~=2.1.0``. * Add support for Debian 13 (Trixie). ********** Python API ********** * :py:func:`CertificateManager.objects.create_cert() ` and :py:func:`Profile.create_cert() ` now allow creating a certificate with neither a common name nor a Subject Alternative Name extension via the `allow_empty_subject` flag. * **BACKWARDS INCOMPATIBLE:** Attributes in :py:mod:`django_ca.typehints` have been renamed to ensure naming consistency: ===================================== ============================================================= old name new name ===================================== ============================================================= ``AccessMethods`` :attr:`~django_ca.typehints.AccessMethodName` ``AllowedHashTypes`` :attr:`~django_ca.typehints.SignatureHashAlgorithm` ``CertificateExtensionKeys`` :attr:`~django_ca.typehints.CertificateExtensionKey` ``ConfigurableExtensionKeys`` :attr:`~django_ca.typehints.ConfigurableExtensionKey` ``EllipticCurves`` :attr:`~django_ca.typehints.EllipticCurveName` ``EndEntityCertificateExtensionKeys`` :attr:`~django_ca.typehints.EndEntityCertificateExtensionKey` ``ExtensionKeys`` :attr:`~django_ca.typehints.ExtensionKey` ``GeneralNames`` :attr:`~django_ca.typehints.GeneralName` ``HashAlgorithms`` :attr:`~django_ca.typehints.SignatureHashAlgorithmName` ``KeyUsages`` :attr:`~django_ca.typehints.KeyUsage` ``LogEntryTypes`` :attr:`~django_ca.typehints.LogEntryTypeName` ===================================== ============================================================= * **BACKWARDS INCOMPATIBLE:** Attributes in :py:mod:`django_ca.constants` have been renamed to ensure naming consistency: ======================== =========================================================== old name new name ======================== =========================================================== ``HASH_ALGORITHM_NAMES`` :attr:`~django_ca.constants.SIGNATURE_HASH_ALGORITHM_NAMES` ``HASH_ALGORITHM_TYPES`` :attr:`~django_ca.constants.SIGNATURE_HASH_ALGORITHM_TYPES` ======================== =========================================================== ******************* Deprecation notices ******************* * This is the last release to support ``acme~=4.1.0``, ``acme~=4.2.0`` and ``josepy~=2.0.0``.