1.27.0 (2023-11-26)¶
Note
django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see RFC 4514 subjects for migration information.
Add support for Python 3.12 and acme 2.7.0.
Update the Docker image to use Alpine Linux 3.18 with Python 3.12.
Add support for passing subjects in RFC 4514 format when creating certificate authorities and certificates via the
--subject-format=rfc4514
option. This format will become the default in django-ca 2.0.Support for subjects in OpenSSL-style format when creating certificate authorities and certificates is deprecated and will issue a warning. Support for this format will be removed in django-ca 2.2.
CA_DEFAULT_SUBJECT, subjects in profiles and CA_DEFAULT_NAME_ORDER now also support a dotted string to include arbitrary object identifiers.
CA_DEFAULT_NAME_ORDER can now be configured in YAML files.
Do not implicitly sort the subject of new certificate authorities according to CA_DEFAULT_NAME_ORDER. The user is expected to supply the correct order.
When signing certificates via the command line, implicitly sort the subject only when the profile defines a subject and/or the CommonName is not given and added via the SubjectAlternativeName extension. If neither is the case, the user is expected to supply the correct order.
Backwards incompatible changes¶
Removed support for the old
--issuer-url
,--issuer-alt-name
,--crl-url
and--ocsp-url
options for manage.py init_ca, manage.py edit_ca and manage.py import_ca in favor of--sign-ca-issuer
,--sign-issuer-alternative-name
,--sign-crl-full-name
and--sign-ocsp-responder
.Support for non-standard algorithm names in profile settings was removed.
Drop support for
Django~=4.1
,cryptography~=40
,acme==1.25.0
andcelery~=5.2
.
Deprecation notices¶
The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
Support for OpenSSL-style subjects will be removed in django-ca 2.2.
This is the last release to support Django 3.2.
This is the last release to support acme 2.6.0.
This is the last release to support Alpine 3.16.
REST API changes¶
Note
The REST API is still experimental and endpoints will change without notice.
Certificate issuance is now asynchronous, similar to how certificates are issued via ACME. This enables using CAs where the private key is not directly available to the web server.
The REST API must now be enabled explicitly for each certificate authority. This can be done via the admin interface or the
--enable-api
flag for manage.py init_ca, manage.py edit_ca and manage.py import_ca.