1.23.0 (2023-02-18)¶
Add support for cryptography 39.0.
Add support for acme 2.2.0 and 2.3.0.
Add support for Ed448 and Ed25519 based certificate authorities.
Enable ACMEv2 support by default. ACMEv2 still needs to be enabled for every CA individually.
The profile used when issuing certificates via ACMEv2 is now configurable by certificate authority. The default is the profile named in CA_DEFAULT_PROFILE instead of the “server” profile.
The
CA_DIGEST_ALGORITHM
setting is now called CA_DEFAULT_SIGNATURE_HASH_ALGORITHM. Values must be a hash algorithm listed inHashAlgorithms
.The default hash algorithm for certificate authorities with a DSA private key can now be configured using CA_DEFAULT_DSA_SIGNATURE_HASH_ALGORITHM.
The CA_CRL_PROFILES setting allows setting overriding parameters for automatically generated CRLs. This is not a new feature, but it is now documented.
Use
yaml.safe_load
to load configuration files to protect against malicious configuration.OCSP keys now use the same signature hash algorithm as their certificate authority by default.
CRLs are now signed with the same signature hash algorithm as their certificate authority by default.
Standardization¶
A larger effort has been taken to use standard names for various parts of django-ca. Old option values are supported for a few more releases, please refer to the deprecation notices below for how long they will be supported.
Elliptic Curve keys are now consistently referred to as “EC” instead of “ECC” and Ed25519 keys are now referred to as “Ed25519” instead of “EdDSA”. This affects the
--key-type
parameter of manage.py init_ca and other commands that generate private keys.The
CA_DEFAULT_ECC_CURVE
setting was renamed toCA_DEFAULT_ELLIPTIC_CURVE
.Hash algorithms are now referred to by their standard name, e.g. “SHA-512” instead of “sha512”. Please see
HashAlgorithms
for all supported algorithm names.
Bugfixes¶
Fixed timestamps in CRLs if
USE_TZ=False
. Previously, the local time as UTC was used, so freshly issued CRLs might not yet be valid depending on your systems timezone.Fixed the hash algorithm in OCSP responses. The same algorithm as in the request is now used, previously SHA1 was used (which happens to match the default algorithm used by OpenSSL). Some clients (e.g. openssl ocsp(1SSL)) cannot determine the status of a certificate if a different hash is used.
Deprecation notices¶
This is the last release to support
acme==2.1.0
andacme==2.2.0
.Support for the
CA_DIGEST_ALGORITHM
setting will be removed indjango-ca==1.25.0
. Use the CA_DEFAULT_SIGNATURE_HASH_ALGORITHM setting instead.Support for the
CA_DEFAULT_ECC_CURVE
setting will be removed indjango-ca==1.25.0
. Use the CA_DEFAULT_ELLIPTIC_CURVE setting instead.Support for using
ECC
as key type will be removeddjango-ca==1.26.0
. UseEC
instead.Support for using
EdDSA
as key type will be removed indjango-ca==1.26.0
. UseEd25519
instead.Support for non-standard hash algorithm names (e.g.
sha512
instead ofSHA-512
will be removed indjango-ca==1.25.0
. Use standard hash algorithm names instead (seeHashAlgorithms
for supported algorithms).Support for non-standard elliptic curve names (e.g.
SECP256R1
instead ofsecp256r1
will be removed indjango-ca==1.25.0
. Use standard elliptic curve names instead (seeELLIPTIC_CURVE_TYPES
for supported curves).The
pre_issue_cert
is will be removed indjango_ca==1.24.0
. Use the newpre_sign_cert
signal instead.The subject wrapper class
django_ca.subject.Subject
is will be removed indjango-ca==1.24.0
.Extension wrapper classes in
django_ca.extensions
are will be removed indjango_ca==1.24.0
.
Backwards incompatible changes¶
Drop support for Python 3.7.
Drop support for Django 4.0.
Drop support for cryptography 36.0.
Drop support for acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.
Drop support for Alpine 3.14 and 3.15.
Remove the
acme
extra.CA_DEFAULT_SUBJECT must no longer be a dict. Use a list or tuple instead.