1.23.0 (2023-02-18)

• Add support for cryptography 39.0.

• Add support for acme 2.2.0 and 2.3.0.

• Add support for Ed448 and Ed25519 based certificate authorities.

• Enable ACMEv2 support by default. ACMEv2 still needs to be enabled for every CA individually.

• The profile used when issuing certificates via ACMEv2 is now configurable by certificate authority. The default is the profile named in CA_DEFAULT_PROFILE instead of the “server” profile.

• The CA_DIGEST_ALGORITHM setting is now called CA_DEFAULT_SIGNATURE_HASH_ALGORITHM. Values must be a hash algorithm listed in HashAlgorithms.

• The default hash algorithm for certificate authorities with a DSA private key can now be configured using CA_DEFAULT_DSA_SIGNATURE_HASH_ALGORITHM.

• The CA_CRL_PROFILES setting allows setting overriding parameters for automatically generated CRLs. This is not a new feature, but it is now documented.

• Use yaml.safe_load to load configuration files to protect against malicious configuration.

• OCSP keys now use the same signature hash algorithm as their certificate authority by default.

• CRLs are now signed with the same signature hash algorithm as their certificate authority by default.

Standardization

A larger effort has been taken to use standard names for various parts of django-ca. Old option values are supported for a few more releases, please refer to the deprecation notices below for how long they will be supported.

• Elliptic Curve keys are now consistently referred to as “EC” instead of “ECC” and Ed25519 keys are now referred to as “Ed25519” instead of “EdDSA”. This affects the --key-type parameter of manage.py init_ca and other commands that generate private keys.

• The CA_DEFAULT_ECC_CURVE setting was renamed to CA_DEFAULT_ELLIPTIC_CURVE.

• Hash algorithms are now referred to by their standard name, e.g. “SHA-512” instead of “sha512”. Please see HashAlgorithms for all supported algorithm names.

Bugfixes

• Fixed timestamps in CRLs if USE_TZ=False. Previously, the local time as UTC was used, so freshly issued CRLs might not yet be valid depending on your systems timezone.

• Fixed the hash algorithm in OCSP responses. The same algorithm as in the request is now used, previously SHA1 was used (which happens to match the default algorithm used by OpenSSL). Some clients (e.g. openssl ocsp(1SSL)) cannot determine the status of a certificate if a different hash is used.

Deprecation notices

• This is the last release to support acme==2.1.0 and acme==2.2.0.

• Support for the CA_DIGEST_ALGORITHM setting will be removed in django-ca==1.25.0. Use the CA_DEFAULT_SIGNATURE_HASH_ALGORITHM setting instead.

• Support for the CA_DEFAULT_ECC_CURVE setting will be removed in django-ca==1.25.0. Use the CA_DEFAULT_ELLIPTIC_CURVE setting instead.

• Support for using ECC as key type will be removed django-ca==1.26.0. Use EC instead.

• Support for using EdDSA as key type will be removed in django-ca==1.26.0. Use Ed25519 instead.

• Support for non-standard hash algorithm names (e.g. sha512 instead of SHA-512 will be removed in django-ca==1.25.0. Use standard hash algorithm names instead (see HashAlgorithms for supported algorithms).

• Support for non-standard elliptic curve names (e.g. SECP256R1 instead of secp256r1 will be removed in django-ca==1.25.0. Use standard elliptic curve names instead (see ELLIPTIC_CURVE_TYPES for supported curves).

• The pre_issue_cert is will be removed in django_ca==1.24.0. Use the new pre_sign_cert signal instead.

• The subject wrapper class django_ca.subject.Subject is will be removed in django-ca==1.24.0.

• Extension wrapper classes in django_ca.extensions are will be removed in django_ca==1.24.0.

Backwards incompatible changes

• Drop support for Python 3.7.

• Drop support for Django 4.0.

• Drop support for cryptography 36.0.

• Drop support for acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.

• Drop support for Alpine 3.14 and 3.15.

• Remove the acme extra.

• CA_DEFAULT_SUBJECT must no longer be a dict. Use a list or tuple instead.