django_ca.models
- django-ca models¶
Note that both CertificateAuthority
and
Certificate
inherit from
X509CertMixin
, which provides many convenience
methods.
CertificateAuthority¶
-
class
django_ca.models.
CertificateAuthority
(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, name, enabled, parent, private_key_path, crl_url, issuer_url, ocsp_url, issuer_alt_name)[source]¶ -
allows_intermediate_ca
¶ Wether this CA allows creating intermediate CAs.
-
bundle
¶ A list of any parent CAs, including this CA.
The list is ordered so the Root CA will be the first.
-
max_pathlen
¶ The maximum pathlen for any intermediate CAs signed by this CA.
This value is either
None
, if this and all parent CAs don’t have apathlen
attribute, or anint
if any parent CA has the attribute.
-
name
¶ Human-readable name of the CA, only used for displaying the CA.
-
pathlen
¶ The
pathlen
attribute of theBasicConstraints
extension (either anint
orNone
).
-
Manager methods¶
CertificateAuthorityManager
is the default manager for
CertificateAuthority
, meaning you can access it
using CertificateAuthority.objects
, e.g.:
>>> from django_ca.models import CertificateAuthority
>>> CertificateAuthority.objects.init(...)
-
class
django_ca.managers.
CertificateAuthorityManager
[source]¶ -
init
(name, subject, expires=None, algorithm=None, parent=None, pathlen=None, issuer_url=None, issuer_alt_name=None, crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None, ecc_curve=None, key_type='RSA', key_size=None)[source]¶ Create a new certificate authority.
Parameters: - name : str
The name of the CA. This can be a human-readable string and is used for administrative purposes only.
- algorithm : str or
HashAlgorithm
, optional Hash algorithm used when signing the certificate. If a string is passed, it must be the name of one of the hashes in
hashes
, e.g."SHA512"
. This method also accepts instances ofHashAlgorithm
, e.g.SHA512
. The default is theCA_DIGEST_ALGORITHM
setting.- subject :
Subject
Subject string, e.g.
Subject("/CN=example.com")
.- expires : datetime, optional
Datetime for when this certificate authority will expire, defaults to the
CA_DEFAULT_EXPIRES
setting.- parent :
CertificateAuthority
, optional Parent certificate authority for the new CA. This means that this CA will be an intermediate authority.
- pathlen : int, optional
- password : bytes, optional
Password to encrypt the private key with.
- parent_password : bytes, optional
Password that the private key of the parent CA is encrypted with.
- ecc_curve : str or EllipticCurve, optional
The elliptic curve to use for ECC type keys, passed verbatim to
parse_key_curve()
.- key_type: str, optional
The type of private key to generate, must be one of
"RSA"
,"DSA"
or"ECC"
, with"RSA"
being the default.- key_size : int, optional
Integer specifying the key size, must be a power of two (e.g. 2048, 4096, …) unused if
key_type="ECC"
but required otherwise.
Raises: - ValueError
For various cases of wrong input data (e.g.
key_size
not being the power of two).- PermissionError
If the private key file cannot be written to disk.
-
Certificate¶
-
class
django_ca.models.
Certificate
(id, created, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, ca, csr)[source]¶ -
bundle
¶ The complete certificate bundle. This includes all CAs as well as the certificates itself.
-
Manager methods¶
CertificateManager
is the default manager for
Certificate
, meaning you can access it
using Certificate.objects
, e.g.:
>>> from django_ca.models import Certificate
>>> Certificate.objects.init(...)
-
class
django_ca.managers.
CertificateManager
[source]¶ -
init
(ca, csr, **kwargs)[source]¶ Create a signed certificate from a CSR and store it to the database.
All parameters are passed on to
Certificate.objects.sign_cert()
.
-
sign_cert
(ca, csr, expires=None, algorithm=None, subject=None, cn_in_san=True, csr_format=<Encoding.PEM: 'PEM'>, subjectAltName=None, key_usage=None, extended_key_usage=None, tls_feature=None, password=None)[source]¶ Create a signed certificate from a CSR.
PLEASE NOTE: This function creates the raw certificate and is usually not invoked directly. It is called by
Certificate.objects.init()
, which passes along all parameters unchanged and saves the raw certificate to the database.Parameters: - ca :
CertificateAuthority
The certificate authority to sign the certificate with.
- csr : str
A valid CSR. The format is given by the
csr_format
parameter.- expires : datetime, optional
Datetime for when this certificate will expire, defaults to the
CA_DEFAULT_EXPIRES
setting.- algorithm : str or
HashAlgorithm
, optional Hash algorithm used when signing the certificate. If a string is passed, it must be the name of one of the hashes in
hashes
, e.g."SHA512"
. This method also accepts instances ofHashAlgorithm
, e.g.SHA512
. The default is theCA_DIGEST_ALGORITHM
setting.- subject :
Subject
, optional The Subject to use in the certificate. If this value is not passed or if the value does not contain a CommonName, the first value of the
subjectAltName
parameter is used as CommonName.- cn_in_san : bool, optional
Wether the CommonName should also be included as subjectAlternativeName. The default is
True
, but the parameter is ignored if no CommonName is given. This is typically set toFalse
when creating a client certificate, where the subjects CommonName has no meaningful value as subjectAltName.- csr_format :
Encoding
, optional The format of the CSR. The default is
PEM
.- subjectAltName : list of str, optional
A list of values for the subjectAltName extension. Values are passed to
parse_general_name()
, see function documentation for how this value is parsed.- key_usage :
KeyUsage
, optional Value for the
keyUsage
X509 extension.- extended_key_usage :
ExtendedKeyUsage
, optional Value for the
extendedKeyUsage
X509 extension.- tls_feature :
TLSFeature
, optional Value for the
TLSFeature
X509 extension.- password : bytes, optional
Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
Returns: - cryptography.x509.Certificate
The signed certificate.
- ca :
-
X509CertMixin¶
X509CertMixin
is a common base class to both
CertificateAuthority
and
Certificate
and provides many convenience
attributes.
-
class
django_ca.models.
X509CertMixin
(*args, **kwargs)[source]¶ The
AuthorityKeyIdentifier
extension, orNone
if it doesn’t exist.
-
extended_key_usage
¶ The
ExtendedKeyUsage
extension, orNone
if it doesn’t exist.
-
not_after
¶ Date/Time this certificate expires.
-
not_before
¶ Date/Time this certificate was created
-
subject_key_identifier
¶ The
SubjectKeyIdentifier
extension, orNone
if it doesn’t exist.
-
tls_feature
¶ The
TLSFeature
extension, orNone
if it doesn’t exist.
-
x509
¶ The underlying
cryptography.x509.Certificate
.