django_ca.models - django-ca models¶
django-ca uses three classes, called “models” in Django terminology, to store everything in the database. They are the core classes for this project, if you want to use this project programatically, you’ll have to use these classes:
- CertificateAuthority is used to store certificate authorities.
- Certificate is used to store certificates.
- Finally, Watcher stores email addresses for who should be notified if certificates expire.
Note that both
Certificate inherit from
X509CertMixin, which provides many common
Certificate(id, created, valid_from, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, ca, csr)¶
The complete certificate bundle. This includes all CAs as well as the certificates itself.
>>> from django_ca.models import Certificate >>> Certificate.objects.init(csr=csr, ca=ca, subject='/CN=example.com') <Certificate: example.com>
init(ca, csr, **kwargs)¶
Create a signed certificate from a CSR and store it to the database.
All parameters are passed on to
sign_cert(ca, csr, expires=None, algorithm=None, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subject_alternative_name=None, key_usage=None, extended_key_usage=None, tls_feature=None, extra_extensions=None, password=None)¶
Create a signed certificate from a CSR.
PLEASE NOTE: This function creates the raw certificate and is usually not invoked directly. It is called by
Certificate.objects.init(), which passes along all parameters unchanged and saves the raw certificate to the database.
- ca :
The certificate authority to sign the certificate with.
- csr : str
A valid CSR. The format is given by the
- expires : datetime, optional
Datetime for when this certificate will expire, defaults to the
- algorithm : str or
- subject : dict or str or
Subject string, e.g.
Subject("/CN=example.com"). The value is actually passed to
Subjectif it is not already an instance of that class. If this value is not passed or if the value does not contain a CommonName, the first value of the
subject_alternative_nameparameter is used as CommonName.
- cn_in_san : bool, optional
Wether the CommonName should also be included as subjectAlternativeName. The default is
True, but the parameter is ignored if no CommonName is given. This is typically set to
Falsewhen creating a client certificate, where the subjects CommonName has no meaningful value as subjectAlternativeName.
- csr_format :
The format of the CSR. The default is
- subject_alternative_name : list of str or
optional A list of alternative names for the certificate. The value is passed to
SubjectAlternativeNameif not already an instance of that class.
- key_usage : str or dict or
Value for the
keyUsageX509 extension. The value is passed to
KeyUsageif not already an instance of that class.
- extended_key_usage : str or dict or
Value for the
extendedKeyUsageX509 extension. The value is passed to
ExtendedKeyUsageif not already an instance of that class.
- tls_feature : str or dict or
Value for the
TLSFeatureX509 extension. The value is passed to
TLSFeatureif not already an instance of that class.
- extra_extensions : list of
An optional list of additional extensions to add to the certificate.
- password : bytes, optional
Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
The signed certificate.
- ca :
Noneif it doesn’t exist.
Date/Time this certificate expires.
Date/Time this certificate was created