`django_ca.profiles` - Certificate profiles¶

The profiles module defines classes and methods for handling profiles.

Even if you use the Python API, you do not need to handle any instances from this module directly in most cases. Instead, you can simply pass a name of the profile instead. For example, to create a certificate using the webserver profile:

# Note: "csr" is a predefined variable, see https://cryptography.io/en/latest/x509/tutorial/
>>> from cryptography import x509
>>> from cryptography.x509.oid import NameOID
>>> from django_ca.key_backends.storages import UsePrivateKeyOptions
>>> from django_ca.models import Certificate
>>> from django_ca.profiles import profiles
>>> subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, 'example.com')])
>>> key_backend_options = UsePrivateKeyOptions(password=None)
>>> Certificate.objects.create_cert(
...    ca, key_backend_options, csr, profile=profiles['webserver'], subject=subject
... )
<Certificate: example.com>

But you can also create your own profile manually to create a special type of certificate:

>>> from django_ca.models import CertificateAuthority
>>> profile = Profile(
...     'example',
...     subject=x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, 'AT')]),
...     extensions={'ocsp_no_check': {}}
... )
>>> ca = CertificateAuthority.objects.first()
>>> profile.create_cert(ca, key_backend_options, csr, subject=subject)
<Certificate(subject=<Name(C=AT,CN=example.com)>, ...)>

class django_ca.profiles.Profile(name: str, subject: Literal[False] | Name | None = None, algorithm: Literal['SHA-224', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3/224', 'SHA3/256', 'SHA3/384', 'SHA3/512'] | None = None, extensions: dict[Literal['authority_information_access', 'authority_key_identifier', 'basic_constraints', 'certificate_policies', 'crl_distribution_points', 'extended_key_usage', 'freshest_crl', 'issuer_alternative_name', 'key_usage', 'ms_certificate_template', 'ocsp_no_check', 'precert_poison', 'precertificate_signed_certificate_timestamps', 'signed_certificate_timestamps', 'subject_alternative_name', 'subject_information_access', 'subject_key_identifier', 'tls_feature'], ProfileExtensionValue | Extension[ExtensionType] | None] | None = None, expires: int | timedelta | None = None, description: str = '', autogenerated: bool = False, add_crl_url: bool = True, add_ocsp_url: bool = True, add_issuer_url: bool = True, add_issuer_alternative_name: bool = True)[source]¶

A certificate profile defining properties and extensions of a certificate.

Instances of this class usually represent profiles defined in CA_PROFILES, but you can also create your own profile to create a different type of certificate. An instance of this class can be used to create a signed certificate based on the given CA:

>>> from cryptography import x509
>>> from cryptography.x509.oid import NameOID
>>> Profile(
...     "example",
...     subject=x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "AT")]),
...     extensions={"ocsp_no_check": {}}
... )
<Profile: example>

Create a x509 certificate based on this profile, the passed CA and input parameters.

This function is the core function used to create x509 certificates. In its simplest form, you only need to pass a ca, private key options, a CSR and a subject to get a valid certificate:

>>> from cryptography import x509
>>> from cryptography.x509.oid import NameOID
>>> from django_ca.key_backends.storages import UsePrivateKeyOptions
>>> subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, 'example.com')])
>>> key_backend_options = UsePrivateKeyOptions(password=None)
>>> profile = get_profile('webserver')
>>> profile.create_cert(ca, key_backend_options, csr, subject=subject)  
<Certificate(subject=<Name(...,CN=example.com)>, ...)>

Changed in version 1.26.0: All optional arguments have to be passed as keyword arguments.

The function will add CRL, OCSP, Issuer and IssuerAlternativeName URLs based on the CA if the profile has the add_crl_url, add_ocsp_url and add_issuer_url and add_issuer_alternative_name values set. Parameters to this function with the same name allow you override this behavior.

The function allows you to override profile values using the expires and algorithm values. You can pass additional extensions as a list, which will override any extensions from the profile, but the CA passed will append to these extensions unless the add_… values are False.

Parameters:

caCertificateAuthority: The CA to sign the certificate with.
key_backend_optionsBaseModel: Options required for using the private key of the certificate authority.
csrCertificateSigningRequest: The CSR for the certificate.
subjectName, optional: Subject for the certificate. The value will be merged with the subject of the profile. If not given, the certificate’s subject will be identical to the subject from the profile.
expiresint or datetime or timedelta, optional: Override when this certificate will expire.
algorithmHashAlgorithm, optional: Override the hash algorithm used when signing the certificate.
extensionslist or of Extension: List of additional extensions to set for the certificate. Note that values from the CA might update the passed extensions: For example, if you pass an IssuerAlternativeName extension, add_issuer_alternative_name is True and the passed CA has an IssuerAlternativeName set, that value will be appended to the extension you pass here.
add_crl_urlbool, optional: Override if any CRL URLs from the CA should be added to the CA. If not passed, the value set in the profile is used.
add_ocsp_urlbool, optional: Override if any OCSP URLs from the CA should be added to the CA. If not passed, the value set in the profile is used.
add_issuer_urlbool, optional: Override if any Issuer URLs from the CA should be added to the CA. If not passed, the value set in the profile is used.
add_issuer_alternative_namebool, optional: Override if any IssuerAlternativeNames from the CA should be added to the CA. If not passed, the value set in the profile is used.
password: bytes or str, optional: The password to the private key of the CA.

Returns:

cryptography.x509.Certificate: The signed certificate.

get_expires(expires: int | datetime | timedelta | None) → datetime[source]¶: Get expiry for the given expiry timestamp.

serialize() → SerializedProfile[source]¶: Serialize the profile.

django_ca.profiles - Certificate profiles¶

`django_ca.profiles` - Certificate profiles¶