Skip to content

1.27.0 (2023-11-26)

Compare
Choose a tag to compare
@mathiasertl mathiasertl released this 26 Nov 12:11
· 401 commits to main since this release
1.27.0
9ec84da

NOTE: django-ca 1.27.0 introduced a major change in how subjects are parsed on the command-line. Please see
RFC 4514 subjects for migration information.

  • Add support for Python 3.12 and acme 2.7.0.
  • Update the Docker image to use Alpine Linux 3.18 with Python 3.12.
  • Add support for passing subjects in RFC 4514 format when creating certificate authorities and certificates via the --subject-format=rfc4514 option. This format will become the default in django-ca 2.0.
  • Support for subjects in OpenSSL-style format when creating certificate authorities and certificates is deprecated and will issue a warning. Support for this format will be removed in django-ca 2.2.
  • CA_DEFAULT_SUBJECT, subjects in profiles and CA_DEFAULT_NAME_ORDER now also support a dotted string to include arbitrary object identifiers.
  • CA_DEFAULT_NAME_ORDER can now be configured in YAML files.
  • Do not implicitly sort the subject of new certificate authorities according to CA_DEFAULT_NAME_ORDER. The user is expected to supply the correct order.
  • When signing certificates via the command line, implicitly sort the subject only when the profile defines a subject and/or the CommonName is not given and added via the SubjectAlternativeName extension. If neither is the case, the user is expected to supply the correct order.

Backwards incompatible changes

  • Removed support for the old --issuer-url, --issuer-alt-name, --crl-url and --ocsp-url options for manage.py init_ca, manage.py edit_ca and manage.py import_ca in favor of --sign-ca-issuer, --sign-issuer-alternative-name, --sign-crl-full-name and --sign-ocsp-responder.
  • Support for non-standard algorithm names in profile settings was removed.
  • Drop support for Django==4.1, cryptography==40.x, acme==1.25.0 and celery==5.2.x.

Deprecation notices

  • The default subject format will switch from OpenSSL-style to RFC 4514 in django-ca 2.0.
  • Support for OpenSSL-style subjects will be removed in django-ca 2.2.
  • This is the last release to support Django 3.2.
  • This is the last release to support acme 2.6.0.
  • This is the last release to support Alpine 3.16.

REST API changes

NOTE: The REST API is still experimental and endpoints will change without notice.

  • Certificate issuance is now asynchronous, similar to how certificates are issued via ACME. This enables using CAs where the private key is not directly available to the web server.
  • The REST API must now be enabled explicitly for each certificate authority. This can be done via the admin interface or the --enable-api flag for manage.py init_ca, manage.py edit_ca and manage.py import_ca.