1.21.0 (2022-05-29)

WARNING docker-compose users

• Update from 1.18 or earlier? See the update notes or you might loose private keys!
• Update from 1.20 or earlier? See the update notes to switch to named volumes.

Updates

• Add support for cryptography 37.0 and Alpine Linux 3.16.
• Fix issuing certificates with multiple SubjectAlternativeNames (fixes #86).
• Fix overriding the default certificate expiry in profiles (fixes #87).
• Dependencies for ACMEv2 are now non-optional and the acme extra is now empty (and will be removed in django-ca==1.23.0).
• Implement certificate revocation via ACMEv2.
• The CA_DEFAULT_SUBJECT setting should now be a tuple, not a dict. Support for using a dict will be removed in django-ca==1.23.0.
• Add deployment checks (and document them in the quickstart guides) for configurations that don't use a shared cache subsystem (see also: #85).
• Fix generation of the SECRET_KEY setting when using docker and docker-compose.
• Document supported environment variables and improve general settings configuration in Settings.
• Switch to named volumes in the docker-compose setup. Please see Update from 1.20.0 or earlier for update instructions.
• Stop testing individual versions of idna. django-ca uses a minimal subset of basic functions that are unlikely to break.

Backwards incompatible changes

• Drop support for Django 2.2.
• Drop support for cryptography 3.3 and 3.4.
• Drop support for Alpine 3.12 and 3.13.

Deprecation notices

• The acme extra will be removed in django-ca==1.23.0.
• Support for using a dict for the CA_DEFAULT_SUBJECT setting will be removed in django-ca==1.23.0.
• This is the last release to support cryptography 35.0.
• This is the last release to support Celery 5.0 (5.1+ is of course still supported).
• This is the last release to support acme 1.23, 1.24, 1.25 and 1.26.

1.20.0 (2022-01-26)

WARNING docker-compose users: Update from 1.18 or earlier? See the update notes or you might loose private keys!

• Parsing and formatting of names now correctly escapes or quotes special characters.
• django_ca.utils.shlex_split() was renamed to django_ca.utils.split_str. The old name will be removed in django_ca==1.22.
• Require a CommonName when generating a CA instead of implicitly setting the human-readable name if no CommonName was given.
• Add support for cryptography 36.0.0.
• Add support for Alpine 3.15.
• Make log level and message format more easily configurable with LOG_LEVEL, LIBRARY_LOG_LEVEL and LOG_FORMAT.
• Drop pytz as dependency (and use datetime.timezone directly).
• Add mdlDS and mdlJWS X509 extensions for support mobile Driver Licence.
• Reworked installation instructions to link to a set of quickstart guides dedicated to each installation option.
• Add --bundle option to manage.py sign_cert to allow writing the whole certificate bundle.

ACMEv2 support

ACMEv2 support will be included and enabled by default starting with django-ca==1.22. You will still have
to enable the ACMEv2 interface for each CA that should provide one. The documentation has been updated to
assume that you want enable ACMEv2 support.

• Add support for updating an accounts email address.
• Add support for deactivating ACME accounts.
• Fix issuing certificates if settings.USE_TZ=True (fixes #82).
• Fix issuing certificates for root CAs (fixes #83).

Docker and docker-compose

• Update Docker image to be based on Alpine 3.15.
• Do not expose ports of internal daemons when using docker-compose.

Backwards incompatible changes

• Drop support for Python 3.6.
• Drop support for Django 3.1.
• Drop support for idna 2.8, 3.0 and 3.1.
• Removed the manage.py dump_ocsp_index command.
• Remove the --csr-format parameter to manage.py sign_cert (deprecated since 1.18.0).
• django_ca.utils.parse_csr() has been removed (deprecated since 1.18.0).

Deprecation notices

• This is the last release to support Django 2.2.
• This is the last release to support cryptography 3.3 and 3.4.
• This is the last release to support Alpine 3.12 and 3.13

1.19.1 (2021-12-19)

• Fix "missing" migration in when using django-ca as a standalone app (fixes #79).
• Add support for cryptography 36.0 and Django 4.0.

1.19.0 (2021-10-09)

WARNING: docker-compose users: See the update notes or you might loose private keys!

• Implement DNS-01 validation for ACMEv2. Note that ACMEv2 support is still experimental and disabled by default.
• Support rendering distinguished names with any NameOID known to cryptography.
• Support creating certificates with a subject containing a dnQualifier, PC, DC, title, uid and serialNumber.
• Only fetch expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.
• Ensure that a certificates issuer always matches the subject from the CA that signed it.
• Fix manage.py regenerate_ocsp_key with celery enabled.
• Fix parsing of ASN.1 OtherNames from the command line. Previously, UTF8 strings where not DER encoded.
• Fix ACMEv2 paths in NGINX configuration included in Docker images.
• Include a healthcheck script for uWSGI in the Docker image. Because the image is also shared for the Celery worker, it is not enabled by default, but the docker-compose configuration enables it.
• Add support for creating certificates with Boolean, Null, Integer, UniversalString, IA5String, GeneralizedTime and UTCTime values in the format described in ASN1_GENERATE_NCONF(3SSL).
• Preliminary support for OpenSSH CAs via EdDSA keys.
• The Docker image is now based on python:3.10-alpine3.14.
• Add support for Python 3.10.
• Add support for cryptography 35.0.0.
• Add support for idna 3.0, 3.1 and 3.2.

Backwards incompatible changes

• Drop support for cryptography 3.0, 3.1 and 3.2.
• Remove support for configuring absolute paths for manually configured django_ca.views.OCSPView. This functionality was officially supposed to be removed in django-ca 1.14.0.

Minor non-functional changes

• The whole source code is now type hinted.
• Consistently use f-strings for faster string formatting.
• Documentation is now always generated in nitpicky mode and with warnings turned into errors.
• Remove the now redundant html-check target for documentation generation.

Deprecation notices

• This is the last release to support Python 3.6.
• This is the last release to support Django 3.1.
• This is the last release to support idna<=3.1.
• The issuer_name field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.

1.18.0 (2021-05-15)

• Add support for Django 3.2.
• Prevent auto-completion of the CA password field in the admin interface.
• Improve CSR validation when using the admin interface.
• Check permissions when resigning certificates.
• Require the change certificate permission when revoking certificates.
• Preselect profile of original certificate when resigning certificates.
• Make sure that operators for OrderedSetExtension always return an instance of the implementing class, not of the base class.
• Certificate bundles now always end with a newline, as normal bundles do.
• Add setuptools extras for mysql and postgres.
• Add MySQL support for the Docker image.

Backwards incompatible changes

• Don't load configuration from localsettings.py (deprecated since 1.15.0).
• The x509 property and dump_certificate() where removed from CertificateAuthority and Certificate:
  • To access a string-encoded PEM use obj.pub.pem (was: obj.x509).
  • To update an instance with a certificate use update_certificate (was: obj.x509 = ...).
  • Use obj.pub.pem or obj.pub.der to get an encoded certificate (was: obj.dump_certificate()).
• Drop support for Django 3.0.
• Drop support for cryptography 2.8 and 2.9.
• Drop support for Celery 4.3 and 4.4.
• Drop support for idna 2.9.

Python API

• Store certificates and CSRs as bytes to improve access speed.

Linting and continuous integration

• Use GitHub Actions instead of Travis.
• Use pyproject.toml for all tools that support it.
• Code is now formatted with black.
• Code is now linted using pylint.
• Code is now fully type-hinted and type safe according to mypy. This
  requires the upcoming release of cryptography (current: 3.4).
• Documentation is now cleaned with doc8.
• Documentation is now spell-checked using sphinxcontrib.spelling.

Deprecation notices

• This is the last release to support cryptography 3.0, 3.1 and 3.2.
• Passing a str or bytes to CertificateManager.objects.create_cert() will be removed in django-ca 1.20.0.
• Passing a str as an algorithm in CertificateAuthority.get_crl(), django_ca.profiles.Profile.create_cert() is deprecated and will no longer work in django-ca 1.20.0. Pass a HashAlgorithm instance instead.
• django_ca.utils.parse_csr() is no longer useful and will be removed in django-ca 1.20.0.
• Creating an index for running an OCSP responder with openssl-ocsp(1SSL) is deprecated and will be removed in django-ca 1.20.0. The man page explicitly states it "is only useful for test and demonstration purposes", and we can solidly run our own responders by now.

1.17.3 (2021-03-14)

• Use Alpine 3.13 and Python 3.9 in the Docker image.
• Include templates in installations via pip (fixes #72).

1.17.2 (2021-02-19)

• Update for compatibility with cryptography 3.4.
• Add support for Alpine 3.13.
• Due to cryptography requiring a relatively new version of Rust, support for Alpine<3.12 is dropped.

1.17.1 (2021-01-12)

• Bugfix release for 1.17.0 to address packaging issues for wheels (when installed with pip install).
• Include acme submodule (fixes #67).
• Relax dependencies for josepy (fixes #68).
• Add tests in Dockerfile to make sure that these issues cannot happen again.

1.17.0 (2020-12-30)

• New CA_DEFAUT_CA setting to consistently configure the CA used by default.
• Fix the --issuer-alt-name option for the init_ca/edit_ca management commands.
• Correctly handle IDNA domain names in URLs and certificates.
• Preliminary ACMEv2 support (disabled by default).
• CAs have new fields caa_identity, website and terms_of_service, which are used by ACME.
• Add support for Python 3.9.
• Add support for cryptography 3.1, 3.2 and 3.3.
• Start linting code with pylint.
• Secure CSRF and session cookies using Djangos SESSION_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and CSRF_COOKIE_SECURE settings.

Docker (Compose)

• Add thorough Quickstart with docker-compose.
• Collect static files on startup instead of during build. The latter causes problems with image updates.
• Make manage.py available as the manage shortcut.
• Add several security related headers to the admin interface (CSP, etc).
• Include a template for a complete TLS configuration.

Backwards incompatible changes

• Drop support for Python 3.5.
• Drop support for cryptography 2.7.
• Drop support for Celery 4.2.
• Drop support for idna 2.8.

Deprecation notices

• This is the last release to support Celery 4.3 and 4.4.
• This is the last release to support cryptography 2.8 and 2.9.
• This is the last release to support Django 3.0 (2.2 LTS will still be supported).
• This is the last release to support idna 2.9.
• This is the last release to support Alpine 3.10.

1.16.1 (2020-09-06)

• This is a bugfix release for 1.16.0 that mostly addresses CRL validation issues.
• Add support for cryptography 3.1.
• Fix OCSP, Issuer and CRL URLs for intermediate CAs that are not a direct child of a root CA.
• Fix AuthorityKeyIdentifier in CRLs for intermediate CAs (see #65).
• Properly handle CommonNames which are not parseable as SubjectAlternativeName in admin interface (see #62).
• Minor documentation updates (see #63)
• Fix error in manage.py notify_expiring_certs in non-timezone aware setups.
• Override terminal size when running test cases, otherwise the output of argparse depends on the terminal size, leading to test failures on large terminals.