1.13.0 (2019-07-14)¶
Add support for cryptography 2.7.
Moved
setup.py recreate_fixtures
torecreate-fixtures.py
.Moved all other extra
setup.py
commands todev.py
to remove clutter.Move
fab init_demo
todev.py init-demo
.Use OpenSSL instead of LibreSSL in
Dockerfile
to enable testing for Alpine 3.7. The cryptography documentation also suggests OpenSSL.The Fabric file has been removed.
Remove the
CA_PROVIDE_GENERIC_CRL
setting, the default URL configuration now includes it.The Docker image is now based on Alpine Linux 3.10.
BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.2.
BACKWARDS INCOMPATIBLE: Drop support for idna 2.6.
Deprecation Notices¶
This is the last release to support cryptography 2.3 and 2.4.
This is the last release to support idna 2.7.
This is the last release to support OCSP using
oscrypto
/ocspbuilder
.CertificateRevocationListView.ca_crl
is deprecated in favor of thescope
parameter. If you have setca_crl=True
just setscope="ca"
instead.A new more extendable format for the CA_PROFILES setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage wherever you can.
Extensions¶
Implement the
django_ca.extensions.CRLDistributionPoints
extension anddjango_ca.extensions.CertificatePolicies
extension.Add the
ipsecEndSystem
,ipsecTunnel
andipsecUser
extended key usage types. These are actually very rare and only occur in the “TrustID Server A52” CA.Extensions now consistently serialize to dictionaries.
Command-line interface¶
The
view_ca
command will now display the full path to the private key, if possible.The
migrate_ca
command now has a--dry
parameter and has a updated help texts.The new
regenerate_ocsp_keys
command allows you to automatically generate OCSP keys that are used by the new default OCSP views.
Python API¶
Add the
root
property to CAs and certificates returning the root Certificate Authority.django_ca.managers.CertificateManager.sign_cert()
now also accepts aCertificateSigningRequest
ascsr
value.Add the
issuer_url
,crl_url
,ocsp_url
andissuer_alternative_name
parameter todjango_ca.managers.CertificateManager.sign_cert()
to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using theextra_extensions
parameter.Add the
get_crl()
function to get a CRL for the CA.Add the
generate_ocsp_key()
function to generate OCSP keys that are automatically picked up by the generic OCSP views.Both
CertificateAuthority
andCertificate
now have aroot
property pointing to the Root CA.
OCSP¶
The CA_DEFAULT_HOSTNAME setting is now used to set generic OCSP URLs by default.
The
dump_ocsp_index
management command now excludes certificates expired for more then a day or are not yet valid.
CRLs¶
Issued CRLs now confirm to RFC 5280:
Add the CRL Number extension.
Add the Authority Key Identifier extension.
Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5.
Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.
CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).
Expose an API for creating CRLs via
CertificateAuthority.get_crl()
.