######## Profiles ######## A profile defines default properties, including certificate extensions, for TLS certificates. These properties define who can use the certificate for what purpose, how a peer can validate it and what clients are compatible with the certificates. **django-ca** defines a set of default profiles that should be sufficient for most use cases: ============== ============================================================================================= Name Purpose ============== ============================================================================================= ``client`` Certificate can be used for TLS client authentication. ``enduser`` Certificate can be used for TLS client authentication and code and email signing. ``ocsp`` Certificate can be used for a OCSP responder, marked as automatically generated by default. ``server`` Certificate can be used for both a TLS server and a TLS client. ``webserver`` **(default)** Certificate can be used for a TLS server but not for TLS client authentication. ============== ============================================================================================= You can configure the default profile to use using the :ref:`CA_DEFAULT_PROFILE ` setting. You can also add new profiles or modify existing ones using the :ref:`CA_PROFILES ` setting. ************** Using profiles ************** You can use a profile when signing certificates: * When you use the :doc:`command line `: .. code-block:: console $ python manage.py sign_cert --client ... * In the :doc:`web_interface` you can select a profile when adding a certificate. * In the :doc:`Python API `:: >>> from django_ca.models import Certificate >>> from django_ca.profiles import profiles >>> Certificate.objects.create_cert(ca, csr, profile=profiles['client']) or by even defining a temporary profile just for this certificate:: >>> from django_ca.profiles import Profile >>> prof = Profile(...) >>> Certificate.objects.create_cert(ca, csr, profile=prof) .. _profiles-predefined: ********************** Preconfigured profiles ********************** ``client`` ========== Certificates with this profile can be used for TLS client authentication. Use it when the certificate should be used by a client to authenticate itself (not the server). It defines the following extensions and values: * KeyUsage: digital_signature * ExtendedKeyUsage: clientAuth ``webserver`` ============= Certificates with this profile can be used for TLS server authentication. Use it when the certificate should be used by a server to provide TLS connections, e.g. HTTPS. .. NOTE:: The profile name is actually a misnomer, as it cannot be used just for web servers but any server. The certificate could just as well be used by a mail server, MQTT server or anything else. It defines the following extensions: ``server`` ========== Certificates with this profile can be used for both TLS client and server authentication. Use it when the certificate should be used by a daemon that both accepts and initiates TLS connections (an example would be a federated XMPP server). It defines the following extensions and values: * KeyUsage: digital_signature, key_agreement, key_encipherment * ExtendedKeyUsage: clientAuth, serverAuth ``enduser`` =========== Certificates with this profile can be used by users to perform client authentication and sign code and emails. It defines the following extensions and values: * KeyUsage: data_encipherment, digital_signature, key_encipherment * ExtendedKeyUsage: clientAuth, codeSigning, emailProtection ``ocsp`` ======== Certificates with this profile can be used in an OCSP responder. Automatic creation of OCSP responder keys use this profile. It defines the following extensions and values: * KeyUsage: non_repudiation, digital_signature, key_encipherment * ExtendedKeyUsage: OCSPSigning * OCSPNoCheck ****************** Configure profiles ****************** You can add new profiles with the :ref:`CA_PROFILES ` setting. The setting a dictionary with the key identifying the certificate and the values configuring various aspects of certificates signed using this profile. A simple profile might look like this: .. tab:: Python .. literalinclude:: /include/config/profiles-example.py :language: python .. tab:: YAML .. literalinclude:: /include/config/profiles-example.yml :language: yaml After defining a profile, it can be immediately used with the Python API, the Admin web interface (WSGI servers typically need to reload the code to see the new profile) or the command line: .. code-block:: console $ python manage.py sign_cert -h ... profiles: Sign certificate based on the given profile. A profile only sets the the default values, options like --key- usage still override the profile. --client A certificate for a client. --server A certificate for a server, allows client and server authentication. --webserver A certificate for a webserver. --enduser A certificate for an enduser, allows client authentication, code and email signing. --ocsp A certificate for an OCSP responder. --example An example profile. Available options ================= There are many available options for a profile, of course all of them are optional: =============================== ========= ==================================================================== Option Default Description =============================== ========= ==================================================================== ``add_crl_url`` ``True`` Set to ``False`` if you don't want the CAs CRL URL added. ``add_issuer_alternative_name`` ``True`` Set to ``False`` if you don't want the CAs Issuer Alternative Name added. ``add_issuer_url`` ``True`` Set to ``False`` if you don't want the CAs Issuer URL added. ``add_ocsp_url`` ``True`` Set to ``False`` if you don't want the CAs OCSP URLs added. ``algorithm`` The algorithm used for signing, defaults to :ref:`CA_DEFAULT_SIGNATURE_HASH_ALGORITHM ` for ``RSA``/``EC`` keys. ``autogenerated`` ``False`` Set to ``True`` if you want to mark certificates from this profile as automatically generated by default. ``description`` ``''`` Informal text explaining what the profile is. ``expires`` A ``timedelta`` of when a certificate will expire, if you set an integer it will be interpreted as a number of days. This defaults to :ref:`CA_DEFAULT_EXPIRES `. ``extensions`` ``{}`` A dictionary of extensions to add. Please see below for more details. ``subject`` The default subject to use, overrides :ref:`CA_DEFAULT_SUBJECT `. =============================== ========= ==================================================================== .. _profiles-subject: Configure the subject ===================== .. Describe here how the value is used. The settings describe the syntax. The subject in a profile serves as a default value for subjects when signing certificates. You can use the :ref:`settings-ca-default-subject` setting to set a default value for all profiles. If a profile should not set any setting (despite :ref:`settings-ca-default-subject` being set), set ``False`` for the subject. The format used for the subject is the same as the :ref:`settings-ca-default-subject` setting, please refer to the settings documentation for the exact syntax. When signing via the command line or issuing certificates via ACMEv2, the subject will be sorted according to :ref:`settings-ca-default-name-order`. When issuing certificates via ACMEv2, the subject of the issued certificate will be the subject of the profile, with the first DNS name requested by the client used as common name. You can configure the profile being used for each certificate authority via the admin interface or via ``manage.py edit_ca --acme-profile``. When signing certificates via the API, this value is *not* used, the caller is expected to provide the full subject. When signing certificates via the admin interface, this subject will be the default values in the subject field of the form. When issuing certificates via the command line, the given subject is merged with the subject of the profile, with explicitly given values taking precedence. For example, given the following configuration: .. tab:: Python .. literalinclude:: /include/config/profiles_subject_example.py :language: python .. tab:: YAML .. literalinclude:: /include/config/profiles_subject_example.yaml :language: yaml ... signing a certificate with .. code-block:: console $ manage.py sign_cert --subject "CN=example.com" ... will give the certificate a subject of ``C=AT,ST=Vienna,CN=example.com``. If you sign with .. code-block:: console $ manage.py sign_cert --subject "ST=Styria,L=Graz,CN=graz.example.com" ... you will get ``C=AT,ST=Styria,L=Graz,CN=graz.example.com`` as a subject. .. _profiles-extensions: Configure extensions ==================== Many extensions (such as the Authority Key Identifier and Basic Constraints extensions) are added by default since they are required to create a useful certificate. Further extensions (such as the CRL Distribution Points and Authority Information Access) are added depending on the values for the CA you are using and the ``add_{...}_url`` settings described below. You can define any extension in a profile with a dictionary. Use the ``key`` from :py:attr:`~django_ca.constants.EXTENSION_KEYS` as a dictionary key and a dictionary as a value describing the extension. The dictionary has an optional ``critical`` key. If it is not defined, the critical value will come from :py:attr:`~django_ca.constants.EXTENSION_DEFAULT_CRITICAL`. All extensions use a ``value`` key to describe the extension value. It is usually a ``dict`` for convenience, but can also be a |Extension| or |ExtensionType| for convenience (or special cases). For example, for the Key Usage extension, use:: CA_PROFILES = { 'example': { # ... 'extensions': { 'key_usage': { 'critical': False, # usually critical, but not here for some reason 'value': ['digitalSignature'] }, }, }, } Find how to specify the ``value`` key for the most important extensions below. Authority Information Access ---------------------------- **Key:** ``authority_information_access`` .. include:: /include/profile-unusual-extension.rst The format is based on :py:class:`~django_ca.pydantic.AuthorityInformationAccessModel`. The `value` is a list of access descriptions. Each consists of an `access_method` and an `access_location`: .. pydantic-profile-extension:: authority_information_access :yaml-text: `access_method` can also be an alias from :py:attr:`~django_ca.constants.ACCESS_METHOD_TYPES`. If you do specify the extension in a profile, its access descriptions will be merged with those from the certificate authority if you create a certificate from the command line or via ACMEv2 (unless the profile specifies ``add_ocsp_url=False`` and/or ``add_issuer_url=False``). If you create a certificate via the admin interface, selecting the profile will set the value for this extension (profiles are only used to fill the form, not when actually signing the certificate). Certificate Policies -------------------- **Key:** ``certificate_policies`` .. include:: /include/profile-unusual-extension.rst The format is based on :py:class:`~django_ca.pydantic.CertificatePoliciesModel`. The `value` is a list of policy information objects. Each consists of a `policy_identifier` (a dotted string for an OID) and an optional list of `policy_qualifier` objects. A `policy_qualifier` is a list of either strings (usually a certificate practice statement) or a user notice object. Please see the model information for these more exotic use cases. .. pydantic-profile-extension:: certificate_policies When issuing certificates via the command-line, not all of the possible values can be represented. You can set a full value either here or by setting the ``sign_certificate_policies`` model field of :py:class:`~django_ca.models.CertificateAuthority`. CRL Distribution Points ----------------------- **Key:** ``crl_distribution_points`` .. include:: /include/profile-unusual-extension.rst The format is based on :py:class:`~django_ca.pydantic.CRLDistributionPointsModel`. The `value` is a list of distribution point objects. In it's (by far) most common form, it has only a `full_name` with an URI where the CRL can be downloaded. Other fields of a distribution point object are `relative_name` (an RDN), `crl_issuer` (a list of general names) and `reasons` (a set of reasons). At least one of `full_name` and `relative_name`, other values are optional. As with any name or RDN, the OID may also use an alias from :py:attr:`~django_ca.constants.NAME_OID_TYPES`. This example sets two distribution points, a common one (only a full name) and one demonstrating all the other fields. .. pydantic-profile-extension:: crl_distribution_points If you do specify the extension in a profile, the value from the certificate authority will take precedence over any value from the profile (unless the profile specifies ``add_crl_url=False``). Extended Key Usage ------------------ **Key:** ``extended_key_usage`` The `value` is a list of extended key usages as defined in `RFC 5280, section 4.2.1.12 `_. Alternatively you can also pass any valid OID as dotted string. For example: .. pydantic-profile-extension:: extended_key_usage :yaml-text: Values can be a dotted string or a name (e.g. ``"clientAuth"``). Freshest CRL ------------ **Key:** ``freshest_crl`` .. include:: /include/profile-unusual-extension.rst The syntax is the same as for the CRL Distribution Points extension. Key Usage --------- **Key:** ``key_usage`` The `value` is a list of key usages as defined in `RFC 5280, section 4.2.1.3 `_. Example: .. pydantic-profile-extension:: key_usage OCSP No Check ------------- **Key:** ``ocsp_no_check`` The `value` is optional, as the extension has no value (besides being present). .. pydantic-profile-extension:: ocsp_no_check TLS Feature ----------- **Key:** ``tls_feature`` The `value` is a list of features as defined in `RFC 7633 `_ (so ``status_request`` and ``status_request_v2``). For convenience, ``OCSPMustStaple`` and ``MultipleCertStatusRequest`` is also supported. Example: .. pydantic-profile-extension:: tls_feature The ``add_..._url`` settings ============================= By default, certificates will include some extensions based on the CA used to sign it. The CA usually defines CRL and OCSP URLs that can be used to retrieve information if the certificate is still valid. This is usually what you want, but there are some exceptions. For example, a certificate for an OCSP responder should not include the OCSP URL, as it makes no sense to validate the OCSP responder certificate using the OCSP responder itself. The ``ocsp`` profile thus already sets ``add_ocsp_url`` to ``False``. If your profile defines a CRL Distribution Points or Authority Information Access extension, CRL, OCSP and Issuer URLs from the CA will be appended if the ``add_..._url`` setting is ``True``. *********************** Update existing profile *********************** You can update an existing profile the same way as configuring a new profile. Any values will replace existing values. To update the default subject for the (predefined) ``enduser`` profile:: CA_PROFILES = { "enduser": { "subject": "/C=AT/L=Vienna/", # base for the subject when creating a new cert }, } Note that django-ca also replaces the whole ``extensions`` value. That means you cannot update one extension from the profile, you'll have to specify all extensions. **************** Remove a profile **************** You can remove a predefined profile by just setting the value to ``None``:: CA_PROFILES = { "client": None # we really don't need this one }