2.3.0 (2025-07-13)

  • Add support for the PrivateKeyUsagePeriod extension. Support requires that you use cryptography>=45.

  • Switch from uWSGI to Gunicorn.

  • Regenerate CRL in view if newest CRL is expired (fixes (#167).

Database

  • Update models to fully support MySQL and MariaDB (fixes (#165).

  • Squash migrations for a faster setup process. Old migrations will be removed in django-ca~=2.5.0.

  • Add GitHub Actions workflows to run the test suite in recent versions of MariaDB, MySQL and PostgreSQL.

Settings

  • CA_CRL_PROFILES: The scope parameter was removed (deprecated since 2.1.0). Use only_contains_* parameters instead.

  • CA_CRL_PROFILES: The encoding parameter was removed (deprecated since 2.1.0). All encodings are now always available.

  • Add support for MARIADB_* environment variables to configure MariaDB when using django-ca as a project. See Databases for more information.

  • When using the django-ca Docker container, allow configuration of which manage.py commands are run on startup. See Startup (Docker only) for more information.

Command-line

  • The --scope and --algorithm parameters to manage.py dump_crl where removed (deprecated since django-ca 2.1.0).

  • manage.py resign_cert:

    • Overriding details from the original certificate is deprecated and will be removed in django-ca~=2.4.0. This affects --ca, --subject, --profile, --algorithm, --ocsp-responder, --ca-issuer, --policy-identifier, --certification-practice-statement, --user-notice, --crl-full-name, --issuer-alternative-name, --extended-key-usage, --key-usage, --ocsp-no-check, --subject-alternative-name and --tls-feature, as well as all arguments to mark them as (not) critical. These arguments make the behavior unpredictable and make it hard to predict what the certificate really looks like. If you want to sign a certificate again with different extensions, sign the certificate normally. It will still be possible to resign a certificate using a different CA.

  • manage.py regenerate_ocsp_keys:

    • Deprecate the --profile and --expires arguments. The arguments will be removed in django-ca~=2.4.0. The profile should always be “ocsp”, which can also influence certificate expiry.

    • Deprecate the --key-type, --key-size, --elliptic-curve and --algorithm arguments. The arguments will be removed in django-ca~=2.4.0. OCSP keys generated with this command then mirror the CA they are delegating for.

    • No longer require the private key to be usable where the command is invoked if Celery is used.

    • Remove default value for --expires, which masks the configured CA value.

REST API

  • Add ability to resign certificates via the API (fixes #155).

  • Add CSR when signing certificates (fixes #163).

  • The URL path for the revocation endpoint has changed. It is now /ca/{ca_serial}/certs/{certificate_serial}/revoke/ instead of /ca/{ca_serial}/revoke/{certificate_serial}/. The old API endpoint will be removed in django-ca~=2.5.0.

Dependencies

  • Add support for django~=5.2.0, Celery~=5.5.0, pydantic~=2.11.0, acme~=3.2.0, acme~=3.3.0, acme~=4.0.0 and acme~=4.1.0.

  • BACKWARDS INCOMPATIBLE: Dropped support for Python 3.9.

  • BACKWARDS INCOMPATIBLE: Dropped support for django~=4.2.0, acme~=3.0.0 and acme~=3.1.0.

  • BACKWARDS INCOMPATIBLE: Dropped support for Alpine 3.19.

Python API

Deprecation notices

  • This is the last release to support Django~=5.1.0.

  • This is the last release to support cryptography~=44.0.

  • This is the last release to support Celery~=4.4.0.

  • This is the last release to support pydantic~=2.10.0.

  • This is the last release to support acme~=3.2.0, acme~=3.3.0, acme~=4.0.0 and josepy~=1.15.0.

Views