1.24.0 (2023-05-01)

Warnings

• Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography version 38.
• docker or source users that do not use PostgreSQL: The USE_TZ setting was switched to True in the Django project. See Switch to USE_TZ=True by default for update information.

General changes

• Add support for cryptography 40.0, django 4.2 and acme 2.4.0 and 2.5.0.
• Use Django's timezone support by default by enabling USE_TZ=True. See Switch to USE_TZ=True by default for update information.
• Make the default order of subjects configurable via CA_DEFAULT_NAME_ORDER.
• Certificates for OCSP responders now include the OCSPNoCheck extension by default.
• Certificates for OCSP responders now use a commonName designating the certificate as OCSP responder as subject, other fields from the CAs subject are discarded.
• A profile can now ignore CA_DEFAULT_SUBJECT by setting subject to False.
• Copy all extensions when using manage.py resign_cert.
• Add support for multiple OCSP responder and CA Issuer entries when creating a certificate authority.
• Add typehints when installing as wheel.

Command-line interface

Continuing the standardization effort started in 1.23.0, some options have been replaced and/or use a
different syntax. See the update notes for more detailed instructions.

• The --pathlen and --no-pathlen parameters for manage.py init_ca were renamed to --path-length and --no-path-length.
• The --key-usage option was changed to/split into --key-usage and --key-usage-non-critical. --key-usage takes multiple option values instead of a single coma-separated list.
• The --ext-key-usage option was changed to/split into --extended-key-usage and --extended-key-usage-critical. --extended-key-usage takes multiple option values instead of a single coma-separated list.
• The --tls-feature option was changed to/split into --tls-feature and --tls-feature-critical. --tls-feature takes multiple option values instead of a single coma-separated list.
• Add support for specifying a custom Key Usage extension when using manage.py init_ca.
• Add support for adding the Inhibit anyPolicy, Policy Constraints and TLS feature extensions when using manage.py init_ca.
• Add support for adding the OCSP No Check extension in when issuing certificates with manage.py sign_cert or manage.py resign_cert.
• Add support for specifying a date when the certificate was compromised when revoking a certificate with manage.py revoke_cert.

Backwards incompatible changes

• The --ext-key-usage flag to manage.py sign_cert was replaced with --extended-key-usage.
• The critical flag for the Key Usage, Extended Key Usage and TLS Feature is now set with dedicated options, with the recommended value being the default. See above and the update notes for details.
• The pre_issue_cert was removed. Use the pre_sign_cert signal instead.

Deprecation notices

Removed in django-ca==1.25.0:

• This is the last release to support acme 2.3.0 and cryptography 38 (cryptography 37 is still supported, see Warning: cryptography version 38).
• Support for the CA_DIGEST_ALGORITHM setting, use CA_DEFAULT_SIGNATURE_HASH_ALGORITHM instead.
• Support for the CA_DEFAULT_ECC_CURVE setting, use CA_DEFAULT_ELLIPTIC_CURVE instead.
• Support for non-standard algorithm names (e.g. sha512, use SHA-512 instead).
• Support for non-standard elliptic key curve names (e.g. SECP384R1, use secp384r1 instead).

Removed in django-ca==1.26.0:

• Support for cryptography==39 and acme==2.4.0 (other versions may removed depending on release time).
• Support for using ECC and EdDSA as key type. Use EC and Ed25519 instead.
• The --pathlen and --no-pathlen parameters to manage.py init_ca will be removed. Use --path-length and --no-path-length instead.
• Support for coma-separated lists in --key-usage, --extended-key-usage and --tls-feature. Use lists instead (e.g. --key-usage keyAgreement keyEncipherment instead of --key usagekeyAgreement,keyEncipherment.
• Support for non-standard TLS feature names "OCSPMustStaple" and "MultipleCertStatusRequest". Use status_request and status_request_v2 instead.