diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b7db3074e..aba99d40c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,7 +14,7 @@ jobs:
         os: [ ubuntu-latest ]
         python-version: [ "3.7", "3.8", "3.9", "3.10" ]
         django-version: [ "3.2.13", "4.0.4" ]
-        cryptography-version: [ "35.0.0", "36.0.2", "37.0.1" ]
+        cryptography-version: [ "35.0.0", "36.0.2", "37.0.2" ]
         acme-version: [ "1.26.0", "1.27.0" ]
         exclude:
             - python-version: "3.7"
diff --git a/Dockerfile b/Dockerfile
index 3a1eebeef..bee0236bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # syntax = docker/dockerfile:experimental
-ARG IMAGE=python:3.10-alpine3.15
+ARG IMAGE=python:3.10-alpine3.16
 
 FROM $IMAGE as base
 WORKDIR /usr/src/django-ca
diff --git a/ca/django_ca/tests/tests_acme.py b/ca/django_ca/tests/tests_acme.py
index 5f9be14c2..8d2fd7314 100644
--- a/ca/django_ca/tests/tests_acme.py
+++ b/ca/django_ca/tests/tests_acme.py
@@ -105,9 +105,6 @@ def test_identifier_enum(self) -> None:
         """Test that the IdentifierType Enum is equivalent to the main ACME library."""
 
         actual = list(acme.messages.IdentifierType.POSSIBLE_NAMES)
-        if "ip" not in actual:  # pragma: acme<1.19
-            actual.append("ip")
-
         self.assertCountEqual(actual, [s.value for s in IdentifierType])
 
 
diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst
index 371a51060..37866e76d 100644
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -6,9 +6,9 @@ ChangeLog
 
 .. _changelog-1.21.0:
 
-************
-1.21.0 (TBR)
-************
+*******************
+1.21.0 (2022-05-29)
+*******************
 
 .. WARNING::
 
@@ -18,7 +18,7 @@ ChangeLog
    * Update from 1.20 or earlier? See :ref:`the update notes <update_121-docker-compose>` to switch to named
      volumes.
 
-* Add support for cryptography 37.0.
+* Add support for cryptography 37.0 and Alpine Linux 3.16.
 * Fix issuing certificates with multiple SubjectAlternativeNames (fixes `issue 86
   <https://github.com/mathiasertl/django-ca/issues/86>`_).
 * Fix overriding the default certificate expiry in profiles (fixes `issue 87
@@ -49,8 +49,9 @@ Deprecation notices
 * The ``acme`` extra will be removed in ``django-ca==1.23.0``.
 * Support for using a dict for the :ref:`CA_DEFAULT_SUBJECT <settings-ca-default-subject>` setting will be
   removed in ``django-ca==1.23.0``.
+* This is the last release to support cryptography 35.0.
 * This is the last release to support Celery 5.0 (5.1+ is of course still supported).
-* This is the last release to support acme 1.23, 1.24 and 1.25.
+* This is the last release to support acme 1.23, 1.24, 1.25 and 1.26.
 
 .. _changelog-1.20.1:
 
diff --git a/docs/source/docker.rst b/docs/source/docker.rst
index 211ebf5ec..b51032c7d 100644
--- a/docs/source/docker.rst
+++ b/docs/source/docker.rst
@@ -173,7 +173,7 @@ You thus need to start two containers with slightly different configuration:
 
 .. code-block:: console
 
-   user@host:~$ docker run \
+   user@host:~$ docker run -d \
    >     -e WAIT_FOR_CONNECTIONS=postgres:5432 \
    >     -v `pwd`/localsettings.yaml:/usr/src/django-ca/ca/conf/localsettings.yaml \
    >     -v static:/usr/share/django-ca/static/ \
@@ -182,7 +182,7 @@ You thus need to start two containers with slightly different configuration:
    >     -v ocsp_key_dir:/var/lib/django-ca/certs/ocsp/ \
    >     -v nginx_config:/usr/src/django-ca/nginx/ \
    >     --name=frontend --network=django-ca mathiasertl/django-ca
-   user@host:~$ docker run \
+   user@host:~$ docker run -d \
    >     -e WAIT_FOR_CONNECTIONS=postgres:5432 \
    >     -v `pwd`/localsettings.yaml:/usr/src/django-ca/ca/conf/localsettings.yaml \
    >     -v backend_ca_dir:/var/lib/django-ca/certs/ \
diff --git a/docs/source/release.rst b/docs/source/release.rst
index 0c14bb5e2..807569c9f 100644
--- a/docs/source/release.rst
+++ b/docs/source/release.rst
@@ -156,6 +156,16 @@ Check that the same fails in the frontend container (because the root CA is only
    ...
    manage sign_cert: error: argument --ca: Root: ca/...key: Private key does not exist.
 
+But you can create a certificate for the "Child" CA in the frontend container:
+
+.. code-block:: console
+
+   $ cat ca/django_ca/tests/fixtures/child-cert.csr | \
+   >     docker-compose exec -T frontend manage sign_cert --ca=Intermediate \
+   >        --subject="/CN=signed-in-frontend.example.com"
+   Please paste the CSR:
+   ...
+
 Finally, verify that CRL and OCSP validation works:
 
 .. code-block:: console
@@ -177,9 +187,17 @@ Test that a restart works:
 .. code-block:: console
 
    $ docker-compose down
-   $ docker-compose up
+   $ docker-compose up -d
    $ docker-compose exec backend manage list_cas
    $ docker-compose exec backend manage list_certs
+   $ cat ca/django_ca/tests/fixtures/root-cert.csr | \
+   >     docker-compose exec -T backend manage sign_cert --ca=Root \
+   >        --subject="/CN=signed-in-backend.example.com"
+   $ cat ca/django_ca/tests/fixtures/child-cert.csr | \
+   >     docker-compose exec -T frontend manage sign_cert --ca=Intermediate \
+   >        --subject="/CN=signed-in-frontend.example.com"
+   Please paste the CSR:
+   ...
 
 ... and validate that the admin interface still sees the intermediate CA.
 
diff --git a/pyproject.toml b/pyproject.toml
index 1a868fea0..cb21b33a0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,19 +4,19 @@ requires = ["setuptools>=45", "wheel"]
 
 [django-ca.release]
 # https://devguide.python.org/#status-of-python-branches
-python = ["3.7.13", "3.8.13", "3.9.11", "3.10.3"]
+python = ["3.7.13", "3.8.13", "3.9.13", "3.10.4"]
 # https://www.djangoproject.com/download/
 django = ["3.2.13", "4.0.4"]
-cryptography = ["35.0.0", "36.0.2", "37.0.1"]
+cryptography = ["35.0.0", "36.0.2", "37.0.2"]
 acme = ["1.23.0","1.24.0", "1.25.0", "1.26.0", "1.27.0"]
 idna = ["3.2", "3.3"]
 josepy = ["1.13.0"]
 
 # https://alpinelinux.org/releases/
-alpine = ["3.14", "3.15"]
+alpine = ["3.14", "3.15", "3.16"]
 
 # The last django-ca release
-last_release = "1.20.1"
+last_release = "1.21.0"
 
 [tool.black]
 line-length = 110
diff --git a/scripts/celery.sh b/scripts/celery.sh
index d9efb6a1f..3c6f8e31a 100755
--- a/scripts/celery.sh
+++ b/scripts/celery.sh
@@ -1,7 +1,7 @@
 #!/bin/sh -e
 
 DJANGO_CA_SECRET_KEY=${DJANGO_CA_SECRET_KEY:-}
-DJANGO_CA_SECRET_KEY_FILE=${DJANGO_CA_SECRET_KEY_FILE:-/var/lib/django-ca/secret_key}
+DJANGO_CA_SECRET_KEY_FILE=${DJANGO_CA_SECRET_KEY_FILE:-/var/lib/django-ca/certs/ca/shared/secret_key}
 
 if [ -z "${DJANGO_CA_SECRET_KEY}" ]; then
     KEY_DIR=`dirname $DJANGO_CA_SECRET_KEY_FILE`
diff --git a/scripts/uwsgi.sh b/scripts/uwsgi.sh
index 3bbf3b442..0448fc2e7 100755
--- a/scripts/uwsgi.sh
+++ b/scripts/uwsgi.sh
@@ -10,7 +10,7 @@ if [ ! -e ${DJANGO_CA_UWSGI_INI} ]; then
 fi
 
 DJANGO_CA_SECRET_KEY=${DJANGO_CA_SECRET_KEY:-}
-DJANGO_CA_SECRET_KEY_FILE=${DJANGO_CA_SECRET_KEY_FILE:-/var/lib/django-ca/secret_key}
+DJANGO_CA_SECRET_KEY_FILE=${DJANGO_CA_SECRET_KEY_FILE:-/var/lib/django-ca/certs/ca/shared/secret_key}
 
 if [ -z "${DJANGO_CA_SECRET_KEY}" ]; then
     KEY_DIR=`dirname $DJANGO_CA_SECRET_KEY_FILE`
diff --git a/tox.ini b/tox.ini
index 39397cf73..b35215d84 100644
--- a/tox.ini
+++ b/tox.ini
@@ -12,7 +12,7 @@ deps =
     django4.0: Django==4.0.4
     cryptography35.0: cryptography==35.0.0
     cryptography36.0: cryptography==36.0.2
-    cryptography37.0: cryptography==37.0.1
+    cryptography37.0: cryptography==37.0.2
     acme1.23: acme==1.23.0
     acme1.24: acme==1.24.0
     acme1.25: acme==1.25.0