2.4.0 (2025-09-28)

OCSP responder certificates now have an empty subject.
Fix configuring CRL reasons for CRL distribution points for signing certificates.
Update the default Docker image to be based on Debian 13 (Trixie).

Command-line

manage.py init_ca, manage.py view_ca, manage.py sign_cert and manage.py view_cert now output data in a unified way. They can now output the certificate data as PEM, DER, text or JSON (identical to REST API output), or just the serial (to use in further commands).
manage.py dump_ca and manage.py dump_cert are deprecated and will be removed in django-ca~=2.6.0. Use view_{ca,cert} --output-format {pem,der} instead.
BACKWARDS INCOMPATIBLE: manage.py regenerate_ocsp_keys: Removed the --key-type, --key-size, --elliptic-curve, --profile, algorithm and --expires parameters (deprecated since django-ca~=2.3.0).
manage.py sign_cert:
- BACKWARDS INCOMPATIBLE: The --out option was removed. Simply pipe stdout instead.
manage.py resign_cert:
- BACKWARDS INCOMPATIBLE: manage.py resign_cert: Removed the --ca, --subject, --profile, --algorithm, --ocsp-responder, --ca-issuer, --policy-identifier, --certification-practice-statement, --user-notice, --crl-full-name, --issuer-alternative-name, --extended-key-usage, --key-usage, --ocsp-no-check, --subject-alternative-name and --tls-feature, as well as all arguments to mark extensions as (not) critical (deprecated since django-ca~=2.3.0).
  
  If you want to resign a certificate with other parameters, simply sign a new one with the same CSR.
- Do not copy the IssuerAlternativeName and FreshestCRL extensions from the source certificate (the certificate authority should provide it instead).
- Unrecognized extensions (those not supported by cryptography) are now copied over verbatim from the source certificate.

REST API

BACKWARDS INCOMPATIBLE: The data returned when fetching certificate authorities or certificates has changed to match the JSON data returned by the various manage.py commands.
Implement endpoint to fetch profiles (fixes #168).
Fix internal server error (HTTP 500) when authenticating with a user that does not exist.

Admin interface

Fix clearing/updating extensions when a new certificate authority is selected while signing certificates.

Dependencies

BACKWARDS INCOMPATIBLE: Dropped support for pydantic~=2.10.0.
BACKWARDS INCOMPATIBLE: Dropped support for acme~=3.2.0, acme~=3.3.0 and acme~=4.0.0.
Add support for cryptography~=46.0.
Add support for acme~=4.2.0, acme~=5.0.0 and josepy~=2.1.0.
Add support for Debian 13 (Trixie).

Python API

CertificateManager.objects.create_cert() and Profile.create_cert() now allow creating a certificate with neither a common name nor a Subject Alternative Name extension via the allow_empty_subject flag.

BACKWARDS INCOMPATIBLE: Attributes in django_ca.typehints have been renamed to ensure naming consistency:

old name	new name
`AccessMethods`	`AccessMethodName`
`AllowedHashTypes`	`SignatureHashAlgorithm`
`CertificateExtensionKeys`	`CertificateExtensionKey`
`ConfigurableExtensionKeys`	`ConfigurableExtensionKey`
`EllipticCurves`	`EllipticCurveName`
`EndEntityCertificateExtensionKeys`	`EndEntityCertificateExtensionKey`
`ExtensionKeys`	`ExtensionKey`
`GeneralNames`	`GeneralName`
`HashAlgorithms`	`SignatureHashAlgorithmName`
`KeyUsages`	`KeyUsage`
`LogEntryTypes`	`LogEntryTypeName`

BACKWARDS INCOMPATIBLE: Attributes in django_ca.constants have been renamed to ensure naming consistency:

old name

new name

HASH_ALGORITHM_NAMES

SIGNATURE_HASH_ALGORITHM_NAMES

HASH_ALGORITHM_TYPES

SIGNATURE_HASH_ALGORITHM_TYPES

Deprecation notices

This is the last release to support acme~=4.1.0, acme~=4.2.0 and josepy~=2.0.0.

old name	new name
`HASH_ALGORITHM_NAMES`	`SIGNATURE_HASH_ALGORITHM_NAMES`
`HASH_ALGORITHM_TYPES`	`SIGNATURE_HASH_ALGORITHM_TYPES`