1.19.1 (2021-12-19)

• Fix "missing" migration in when using django-ca as a standalone app (fixes #79).
• Add support for cryptography 36.0 and Django 4.0.

1.19.0 (2021-10-09)

WARNING: docker-compose users: See the update notes or you might loose private keys!

• Implement DNS-01 validation for ACMEv2. Note that ACMEv2 support is still experimental and disabled by default.
• Support rendering distinguished names with any NameOID known to cryptography.
• Support creating certificates with a subject containing a dnQualifier, PC, DC, title, uid and serialNumber.
• Only fetch expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.
• Ensure that a certificates issuer always matches the subject from the CA that signed it.
• Fix manage.py regenerate_ocsp_key with celery enabled.
• Fix parsing of ASN.1 OtherNames from the command line. Previously, UTF8 strings where not DER encoded.
• Fix ACMEv2 paths in NGINX configuration included in Docker images.
• Include a healthcheck script for uWSGI in the Docker image. Because the image is also shared for the Celery worker, it is not enabled by default, but the docker-compose configuration enables it.
• Add support for creating certificates with Boolean, Null, Integer, UniversalString, IA5String, GeneralizedTime and UTCTime values in the format described in ASN1_GENERATE_NCONF(3SSL).
• Preliminary support for OpenSSH CAs via EdDSA keys.
• The Docker image is now based on python:3.10-alpine3.14.
• Add support for Python 3.10.
• Add support for cryptography 35.0.0.
• Add support for idna 3.0, 3.1 and 3.2.

Backwards incompatible changes

• Drop support for cryptography 3.0, 3.1 and 3.2.
• Remove support for configuring absolute paths for manually configured django_ca.views.OCSPView. This functionality was officially supposed to be removed in django-ca 1.14.0.

Minor non-functional changes

• The whole source code is now type hinted.
• Consistently use f-strings for faster string formatting.
• Documentation is now always generated in nitpicky mode and with warnings turned into errors.
• Remove the now redundant html-check target for documentation generation.

Deprecation notices

• This is the last release to support Python 3.6.
• This is the last release to support Django 3.1.
• This is the last release to support idna<=3.1.
• The issuer_name field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.

1.18.0 (2021-05-15)

• Add support for Django 3.2.
• Prevent auto-completion of the CA password field in the admin interface.
• Improve CSR validation when using the admin interface.
• Check permissions when resigning certificates.
• Require the change certificate permission when revoking certificates.
• Preselect profile of original certificate when resigning certificates.
• Make sure that operators for OrderedSetExtension always return an instance of the implementing class, not of the base class.
• Certificate bundles now always end with a newline, as normal bundles do.
• Add setuptools extras for mysql and postgres.
• Add MySQL support for the Docker image.

Backwards incompatible changes

• Don't load configuration from localsettings.py (deprecated since 1.15.0).
• The x509 property and dump_certificate() where removed from CertificateAuthority and Certificate:
  • To access a string-encoded PEM use obj.pub.pem (was: obj.x509).
  • To update an instance with a certificate use update_certificate (was: obj.x509 = ...).
  • Use obj.pub.pem or obj.pub.der to get an encoded certificate (was: obj.dump_certificate()).
• Drop support for Django 3.0.
• Drop support for cryptography 2.8 and 2.9.
• Drop support for Celery 4.3 and 4.4.
• Drop support for idna 2.9.

Python API

• Store certificates and CSRs as bytes to improve access speed.

Linting and continuous integration

• Use GitHub Actions instead of Travis.
• Use pyproject.toml for all tools that support it.
• Code is now formatted with black.
• Code is now linted using pylint.
• Code is now fully type-hinted and type safe according to mypy. This
  requires the upcoming release of cryptography (current: 3.4).
• Documentation is now cleaned with doc8.
• Documentation is now spell-checked using sphinxcontrib.spelling.

Deprecation notices

• This is the last release to support cryptography 3.0, 3.1 and 3.2.
• Passing a str or bytes to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.
• Passing a str as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.
• django_ca.utils.parse_csr() is no longer useful and will be removed in django-ca 1.20.0.
• Creating an index for running an OCSP responder with openssl-ocsp(1SSL) is deprecated and will be removed in django-ca 1.20.0. The man page explicitly states it "is only useful for test and demonstration purposes", and we can solidly run our own responders by now.

1.17.3 (2021-03-14)

• Use Alpine 3.13 and Python 3.9 in the Docker image.
• Include templates in installations via pip (fixes #72).

1.17.2 (2021-02-19)

• Update for compatibility with cryptography 3.4.
• Add support for Alpine 3.13.
• Due to cryptography requiring a relatively new version of Rust, support for Alpine<3.12 is dropped.

1.17.1 (2021-01-12)

• Bugfix release for 1.17.0 to address packaging issues for wheels (when installed with pip install).
• Include acme submodule (fixes #67).
• Relax dependencies for josepy (fixes #68).
• Add tests in Dockerfile to make sure that these issues cannot happen again.

1.17.0 (2020-12-30)

• New CA_DEFAUT_CA setting to consistently configure the CA used by default.
• Fix the --issuer-alt-name option for the init_ca/edit_ca management commands.
• Correctly handle IDNA domain names in URLs and certificates.
• Preliminary ACMEv2 support (disabled by default).
• CAs have new fields caa_identity, website and terms_of_service, which are used by ACME.
• Add support for Python 3.9.
• Add support for cryptography 3.1, 3.2 and 3.3.
• Start linting code with pylint.
• Secure CSRF and session cookies using Djangos SESSION_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and CSRF_COOKIE_SECURE settings.

Docker (Compose)

• Add thorough Quickstart with docker-compose.
• Collect static files on startup instead of during build. The latter causes problems with image updates.
• Make manage.py available as the manage shortcut.
• Add several security related headers to the admin interface (CSP, etc).
• Include a template for a complete TLS configuration.

Backwards incompatible changes

• Drop support for Python 3.5.
• Drop support for cryptography 2.7.
• Drop support for Celery 4.2.
• Drop support for idna 2.8.

Deprecation notices

• This is the last release to support Celery 4.3 and 4.4.
• This is the last release to support cryptography 2.8 and 2.9.
• This is the last release to support Django 3.0 (2.2 LTS will still be supported).
• This is the last release to support idna 2.9.
• This is the last release to support Alpine 3.10.

1.16.1 (2020-09-06)

• This is a bugfix release for 1.16.0 that mostly addresses CRL validation issues.
• Add support for cryptography 3.1.
• Fix OCSP, Issuer and CRL URLs for intermediate CAs that are not a direct child of a root CA.
• Fix AuthorityKeyIdentifier in CRLs for intermediate CAs (see #65).
• Properly handle CommonNames which are not parseable as SubjectAlternativeName in admin interface (see #62).
• Minor documentation updates (see #63)
• Fix error in manage.py notify_expiring_certs in non-timezone aware setups.
• Override terminal size when running test cases, otherwise the output of argparse depends on the terminal size, leading to test failures on large terminals.

1.16.0 (2020-08-15)

• Add support for cryptography 2.9 and 3.0.
• Add support for Django 3.1.
• The docker image is now based on Alpine Linux 3.12.
• Update redis to version 6 and nginx version 18 when using docker-compose
• Finally update Sphinx since numpydoc#215 is finally fixed.
• The profile used to generate the certificate is now stored in the database.
• It is no longer optional to select a profile in the admin interface when creating a certificate.
• Certificates have a new autogenerated boolean flag, which is True for automatically generated OCSP certificates.
• The admin interface will list only valid and non-autogenerated certificates by default.

Backwards incompatible changes

• Drop support for Django 1.11 and 2.1.
• Drop support for Celery 4.0 and 4.1.
• Drop support for OpenSSL 1.1.0f and earlier. This affects Debian oldoldstable (jessie), Ubuntu 16.04 and Alpine 3.8.
• Certificate.objects.init() and profiles.get_cert_profile_kwargs() were removed. Use Certificate.objects.create_cert() instead.

Deprecation notices

• This is the last release to support Python 3.5.
• This is the last release to support cryptography 2.7.
• This is the last release to support Celery 4.2.
• This is the last release to support idna 2.8.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.

1.15.0 (2020-01-11)

• Add support for Django 3.0.
• The docker image is now based on Alpine Linux 3.11.
• The default project now supports configuring django-ca using YAML configuration files. Configuration using localsettings.py is now deprecated and will be removed in django-ca>=1.18.0.
• Start supporting Celery tasks to allow running tasks in a distributed, asynchronous task queue. Some tasks will automatically be run with Celery if it is enabled. Celery is used automatically if installed, but can always be disabled by setting CA_USE_CELERY=False.
• Drop dependency six (since we no longer support Python 2.7).
• Allow caching of CRLs via manage.py cache_crls.
• The manage.py init_ca command will now automatically cache CRLs and generate OCSP keys for the new CA.
• Support POSTGRES_* and MYSQL_* environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.
• There now are setuptools extras for redis and celery, so you can install all required dependencies at once.
• Add CA_PASSWORDS setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.
• Add CA_CRL_PROFILES setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.
• django_ca.extensions.AuthorityKeyIdentifier now also supports issuers and serials.
• django_ca.utils.parse_general_name() now returns a cryptography.x509.GeneralName unchanged, but throws an error if the name isn't a str otherwise.
• New class django_ca.utils.GeneralNameList for extensions that store a list of general names.
• Add support for the django_ca.extensions.FreshestCRL extension.
• Store CA private keys in the ca/ subdirectory by default, the directory can be configured using manage.py init_ca --path=....

Backwards incompatible changes

• Drop support for Python 2.7.
• Drop support for cryptography 2.5 and 2.6.
• Drop support for Alpine 3.8 (because PostgreSQL and MySQL depend on libressl).
• Removed the manage.py migrate_ca command. If you upgrade from before 1.12.0, upgrade to 1.14.0 first and update file storage.
• Removed the ca_crl setting in django_ca.views.CertificateRevocationListView, use scope instead.

Docker

• Add a docker-compose.yml file to quickly launch a complete service stack.
• Add support for Celery, MySQL, PostgreSQL and Redis.
• Change the working directory to /usr/src/django-ca/ca, so manage.py can now be invoked using python manage.py instead of python ca/manage.py.
• Add a Celery startup script (./celery.sh).
• Add a nginx configuration template at nginx/default.template.
• Static files are now included in a "collected" form, so they don't have to collected on startup.
• Generate OCSP keys and cache CRLs on startup.
• Use BuildKit to massively speed up the Docker image build.

Bugfixes

• Fix generation of CRLs and OCSP keys for CAs with a DSA private key.
• Fix storing an empty list of CRL URLs in some corner cases (when the function receives an empty list).
• Fix naming CAs via serial on the command line if the serial starts with a zero.
• Consistently style serials in a monospace font in admin interface.
• The ocsp profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.

Deprecation notices

• This is the last release to support Django 1.11 and 2.1.
• The Django project included in this git repository will stop loading localsetttings.py files in django-ca>=1.18.0.
• Certificate.objects.init() and django_ca.profiles.get_cert_profile_kwargs were deprecated in 1.14.0 and will be removed in django-ca==1.16.0. Use Certificate.objects.create_cert() instead.
• The format for the CA_PROFILES setting has changed in 1.14.0. Support for the old format will be removed in django-ca==1.17.0. Please see the migration instructions for what to change.