1.14.0 (2019-11-03)

• regenerate_ocsp_keys now has a quiet mode and only generates keys where the CA private key is available.
• Minor changes to make the release compatible with Django 3.0a1.
• Introduce a new, more flexible format for the The format of the CA_PROFILES setting. The new Profiles page provides more information and migration instructions
• New dependency: six, since Django 3.0 no longer includes it.
• New dependency: asn1crypto, since cryptography no longer depends on it.
• Serials are now zero-padded when output so that the last element always consists of two characters.
• More consistently output serials with colons, use a monospace font in the admin interface.
• Fix profile selection in the admin interface.
• Fix display of values from CSR in the admin interface.
• Add a copy-button next to values from the CSR to enable easy copy/paste from the CSR.
• Test suite now includes Selenium tests for all JavaScript functionality.
• dev.py coverage can now output a text summary using --format=text.

Backwards incompatible changes

• Drop support for cryptography 2.3 and 2.4.
• Drop support for idna 2.7.
• Extensions now always expect a dict or a cryptography extension as a value. Anything else was unused in practice.
• KeyUsage, ExtendedKeyUsage and TLSFeature now behave like an ordered set and support all operators that a set does.
• Running an OCSP responder using oscrypto/ocspbuilder is no longer supported.

Extensions

• KeyUsage is now marked as critical by default.
• ExtendedKeyUsage now supports the anyExtendedKeyUsage OID.

Deprecation notices

• This is the last release to support Python 2.7.
• This is the last release to support cryptography 2.5 and 2.6.
• This is the last release to be tested with Alpine 3.7.
• This is the last release to support updating CA private keys to the Filestorage API. python manage.py migrate_ca will be removed in the next release.
• This will be the last release to support the ca_crl setting in CertificateRevocationListView.
• Certificate.objects.init() has been deprecated in favor of Certificate.objects.create_cert(). The old method will be removed in django-ca==1.16.
• get_cert_profile_kwargs() was only used by init() and will thus also be removed in django-ca==1.16.
• The old format for CA_PROFILES will be supported until django-ca==1.16. Please see Update from django-ca<=1.13 for migration instructions.

1.13.0 (2019-07-14)

• Add support for cryptography 2.7.
• Moved setup.py recreate_fixtures to recreate-fixtures.py.
• Moved all other extra setup.py commands to dev.py to remove clutter.
• Move fab init_demo to dev.py init-demo.
• Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography documentation also suggests OpenSSL.
• The Fabric file has been removed.
• Remove the CA_PROVIDE_GENERIC_CRL setting, the default URL configuration now includes it.
• The docker image is now based on Alpine Linux 3.10.
• BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.2.
• BACKWARDS INCOMPATIBLE: Drop support for idna 2.6.

Deprecation Notices

• This is the last release to support cryptography 2.3 and 2.4.
• This is the last release to support idna 2.7.
• This is the last release to support OCSP using oscrypto/ocspbuilder.
• CertificateRevocationListView.ca_cr is deprecated in favor of the scope parameter. If you have set ca_crl=True just set scope="ca" instead.
• A new more extendable format for the CA_PROFILES setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.

Extensions

• Implement the CRLDistributionPoints extension and CertificatePolicies extension.
• Add the ipsecEndSystem, ipsecTunnel and ipsecUser extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
• Extensions now consistently serialize to dictionaries.

Command-line interface

• The view_ca command will now display the full path to the private key, if possible.
• The migrate_ca command now has a --dry parameter and has a updated help texts.
• The new regenerate_ocsp_keys command allows you to automatically generate OCSP keys that are used by the new default OCSP views.

Python API

• Add the root property to CAs and certificates returning the root Certificate Authority.
• sign_cert() now also accepts a CertificateSigningRequest as csr value.
• Add the issuer_url, crl_url, ocsp_url and issuer_alternative_name parameter to sign_cert() to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the extra_extensions parameter.
• Add the get_crl() function to get a CRL for the CA.
• Add the generate_ocsp_key() function to generate OCSP keys
  that are automatically picked up by the generic OCSP views.
• Both CertificateAuthority and Certificate now have a root property pointing to the Root CA.

OCSP

• The CA_DEFAULT_HOSTNAME setting is now used to set generic OCSP urls by default.
• The dump_ocsp_index management command now excludes certificates expired for more then a day or are not yet valid.

CRLs

• Issued CRLs now confirm to RFC 5280:

  • Add the CRL Number extension.
  • Add the Authority Key Identifier extension.

• Add the Issuing Distribution Point extension. This extension requires that you use cryptography>=2.5.

• Add support for setting an Invalidity Date (see RFC 5280, 5.3.2) for CRLs, indicating when the certificate was compromised.

• CRL entries will no longer include a Reason Code if the reason is unspecified (recommended in RFC 5280).

• Expose an API for creating CRLs via CertificateAuthority.get_crl().

1.12.0 (2019-04-02)

• Fix traceback when a certificate that does not exist is viewed in the admin interface.
• Add support cryptography 2.5 and 2.6.
• Start using Django storage backends for files used by django-ca. This allows you to store files on a shared storage system (e.g. one from django-storages to support a redundant setup.
• Add support for PrecertPoison and OCSPNoCheck extensions.
• Implement the PrecertificateSignedCertificateTimestamps extension, currently can only be used for reading existing certificates.
• Optimize PrecertificateSignedCertificateTimestamps in Django admin view.
• Make sure that all extensions are always hashable.
• Switch Docker image to Alpine Linux 3.9.
• BACKWARDS INCOMPATIBLE: Drop support for Python 3.4.
• BACKWARDS INCOMPATIBLE: Drop support for Django 2.0.
• BACKWARDS INCOMPATIBLE: Drop support for cryptography 2.1.
• DEPRECATION NOTICE: This is the last release to support cryptography 2.2.
• DEPRECATION NOTICE: This is the last release to support idna 2.6.

Django File storage API

django-ca now uses the File storage API to store CA private keys as well as files configured for OCSP views. This allows you to use different storage backends (e.g. from django-storages to store files on a filesystem shared between different servers, e.g. to provide a redundant setup.

NOTE: The switch does require some manual intervention when upgrading. The old way of storing files is still supported and will continue to work until version 1.14. Please see the upgrade notes for information on how to upgrade.

• Use file storage API for reading/writing private keys of CAs.
• Use file storage API for reading the responder key and certificate for OCSP.
• New settings CA_FILE_STORAGE and CA_FILE_STORAGE_KWARGS to configure file storage.

OCSP

• Reimplement OCSP using cryptography, used only if cryptography>=2.4 is installed.
• django_ca.views.OCSPBaseView.responder_key may now also be a relative path to be used with the Django storage system.
• django_ca.views.OCSPBaseView.responder_cert may now also be a relative path to be used with the Django storage system.
• django_ca.views.OCSPBaseView.responder_cert may now also be a pre-loaded certificate. If you still use cryptography<2.4 use a oscrypto.asymmetric.Certificate, for newer versions you must use a cryptography.x509.Certificate.
• Fix log output string interpolation issue in OCSP responder.

1.11.0 (2018-12-29)

• Remove colons from CA private keys (fixes #29).
• Filenames for downloading certificates are based on the CommonName (fixes #53).
• Fix certificate bundle order (fixes #55).
• Management commands dump_ca and dump_cert can now dump whole certificate bundles.
• New setting CA_DEFAULT_KEY_SIZE to configure the default key size for new CAs.
• Fix display of the NameConstraints extension in the admin interface.
• Further optimize the Docker image size (~235MB -> ~140MB).

Deprecation Notices

This release will be the last release to support some software versions:

• This will be the last release that supports for Python 3.4 (see Status of Python branches).
• This will be the last release that supports for Django 2.0 (see Supported Versions).
• This will be the last release that supports cryptography 2.1.

Python API

• BACKWARDS INCOMPATIBLE: Renamed the subjectAltName parameter of Certificate.objects.init() to subject_alternative_name to be consistent with other extensions.
• Document how to use the name_constraints parameter in CertificateAuthority.objects.init().
• Extensions can now always be passed as django_ca.extensions.Extension subclass or as any value accepted by the constructor of the specific class.
• Add ability to add any custom additional extension using the extra_extensions parameter.
• django_ca.subject.Subject now implements every dict method.
• The pre_issue_cert signal will now receive normalized values.
• The pre_issue_cert signal is only invoked after all parameters are verified.
• Implement the AuthorityInformationAccess, BasicConstraints, IssuerAlternativeName, SubjectAlternativeName and NameConstraints extensions.

Testing

• Add cryptography 2.4.2 to the test-suite.
• Add the docker_test setup.py command to test the image using various alpine-based images.
• Test for certificates that are not yet valid.
• The child CA used for testing now contains more extensions.
• Freeze time in some test cases to avoid test failures when certificates eventually expire.
• Test some documentation pages, to make sure they are actually correct.

1.10.0

• New dependency: django-object-actions.
• Add ability to resign existing certificates.
• Management command list_cas now optionally supports a tree view.
• Use more consistent naming for extensions throughout the code and documentation.
• Renamed the --tls-features option of the sign_cert command to --tls-feature, in line with the actual name of the extension.
• Allow the TLSFeature extension in profiles.
• Add link in the admin interface to easily download certificate bundles.
• Support ECC private keys for new Certificate Authorities.
• Store CA private keys in the more secure PKCS8 format.
• The Certificate change view now has a second "Revoke" button as object action next to the "History" button.

Python API

• Add the Python API as a fully supported interface to django-ca.
• New module django_ca.extensions to allow easy and consistent handling of X509 extensions.
• Fully document various member attributes of CertificateAuthority and Certificate, as well Subject and as all new Python code.
• The parameters for functions in CertificateManager and CertificateAuthorityManager were cleaned up for consistent naming and so that a user no longer needs to use classes from the cryptography libary. Parameters are now optional if default settings exist.
• Variable names have been renamed to be more consistent to make the code more readable.

Testing

• Also test with Python 3.7.0.
• Add configuration for tox.
• Speed up test-suite by using force_login() and PASSWORD_HASHERS.
• Load keys and certs in for every testcase instead for every class, improving testcase isolation.
• Add two certificates that include all and no extensions at all respectively to be able to test edge cases more consistently and thoroughly.
• Add function cmd_e2e to call manage.py scripts in a way that arguments are passed by argparse as if they where called from the command-line. This allows more complete testing including parsing commandline arguments.
• Error on any warnings coming from django-ca when running the test-suite.

1.9.0

• Allow the creation of Certificates with multiple OUs in their subject (command-line only).
• Fix issues with handling CAs with a password on the command-line.
• Fix handling of certificates with no CommonName and/or no x509 extensions.
• Add support for displaying Signed Certificate Timestamps (SCT) Lists, as described in RFC 6962, section 3.3.
• Add limited support for displaying Certificate Policies, as described in RFC 5280, section 4.2.14 and RFC 3647.
• Correctly display extensions with an OID unknown to django-ca or even cryptography.
• Properly escape x509 extensions to prevent any injection attacks.
• Django 2.1 is now fully supported.
• Fix example command to generate a CSR (had a stray '/').
• Run test-suite with template debugging enabled to catch silently skipped template errors.

Docker

• Base the Docker image on python:3-alpine (instead of python:3), yielding a much smaller image (~965MB -> ~235MB).
• Run complete test-suite in a separate build stage when building the image.
• Provide uwsgi.ini for fast deployments with the uwsgi protocol.
• Add support for passing additional parameters to uWSGI using the DJANGO_CA_UWSGI_PARAMS environment variable.
• Create user/group with a predefined uid/gid of 9000 to allow better sharing of containers.
• Add /usr/share/django-ca/ as named volume, allowing a setup where an external webserver serves static files.
• Add documentation on how to run the container in combination with an external webserver.
• Add documentation on how to run the container as a different uid/gid.

1.8.0

NOTE: This version was actually released on 2018-07-08, but the GitHub release was omitted.

• Add Django signals to important events to let users add custom actions (such as email notifications etc.) to those events (fixes #39).
• Provide a Docker container for fast deployment of django-ca.
• Add the CA_CUSTOM_APPS setting to let users that use django-ca as a standalone project add custom apps, e.g. to register signals.
• Make the otherName extension actually usable and tested (see #47)
• Add the smartcardLogon and msKDC extended key usage types. They are needed for some AD and OpenLDAP improvements (see #46)
• Improve compatibility with newer idna versions (".com" now also throws an error).
• Drop support for Django 1.8 and Django 1.10.
• Improve support for yet-to-be-released Django 2.1.
• Fix admin view of certificates with no subjectAltName.

1.7.0 (2017-12-14)

• Django 2.0 is now fully supported. This release still supports Django 1.8, 1.10 and 1.11.
• Add support for the tlsFeature extension.
• Do sanity checks on the "pathlen" attribute when creating Certificate Authorities.
• Add sanity checks when creating CAs:
  • When creating an intermediate CA, check the pathlen attribute of the parent CA to make sure that the resulting CA is not invalid.
  • Refuse to add a CRL or OCSP service to root CAs. These attributes are not meaningful there.
• Massively update documentation for the command-line interface.
• CAs can now be identified using name or serial (previously: only by serial) in CA_OCSP_URL.
• Make fab init_demo a lot more useful by signing certificates with the client CA and include CRL
  and OCSP links.
• Run fab init_demo and documentation generation through Travis-CI.
• Always display all extensions in the django admin interface.
• NameConstraints are now delimited using a , instead of a ;, for consistency with other
  parameters and so no bash special character is used.

Bugfixes

• Check for permissions when downloading certificates from the admin interface. Previously, users without admin interface access but without permissions to access certificates, where able to guess the URL and download public keys.
• Add a missing migration.
• Fix the value of the crlDistributionPoints x509 extension when signing certificates with Python2.
• The Content-Type header of CRL responses now defaults to the correct value regardless of type (DER or PEM) used.
• If a wrong CA is specified in CA_OCSP_URLS, an OCSP internal error is returned instead of an uncought exception.
• Fix some edge cases for serial conversion in Python2. Some serials where converted with an "L" prefix in Python 2, because hex(0L) returns "0x0L".

1.6.3

• Fix various operations when USE_TZ is True.
• CA keys are no longer stored with colons in their filename, fixing init_ca under Windows.
• Email addresses are now independently validated by validate_email. cryptography 2.1 no longer
  validates email addresses itself.
• Require cryptography>=2.1. Older versions should not be broken, but the output changes
  breaking doctests, meaning they're no longer tested either.

version 1.6.2

• No longer require a strict cryptography version but only >=1.8. The previously pinned version is incompatible with Python 3.5.
• Update requirements files to newest versions.
• Update imports to django.urls.reverse so they are compatible with Django 2.0 and 1.8.
• Make sure that manage.py check exit status is not ignored for setup.py code_quality.
• Conform to new sorting restrictions for isort.