django_ca.models
- django-ca models¶
django-ca uses three classes, called “models” in Django terminology, to store everything in the database. They are the core classes for this project, if you want to use this project programatically, you’ll have to use these classes:
CertificateAuthority is used to store certificate authorities.
Certificate is used to store certificates.
Finally, Watcher stores email addresses for who should be notified if certificates expire.
Note that both CertificateAuthority
and Certificate
inherit from
X509CertMixin
, which provides many common
convenience methods.
CertificateAuthority¶
-
class
django_ca.models.
CertificateAuthority
(id, created, valid_from, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, compromised, name, enabled, parent, private_key_path, crl_url, crl_number, issuer_url, ocsp_url, issuer_alt_name)[source]¶ -
property
allows_intermediate_ca
¶ Wether this CA allows creating intermediate CAs.
-
property
bundle
¶ A list of any parent CAs, including this CA.
The list is ordered so the Root CA will be the first.
-
generate_ocsp_key
(profile='ocsp', expires=3, algorithm=None, password=None, key_size=None, key_type=None, ecc_curve=None, autogenerated=True)[source]¶ Generate OCSP keys for this CA.
- Parameters
- profilestr, optional
The profile to use for generating the certificate. The default is
"ocsp"
.- expiresint or datetime, optional
Number of days or datetime when this certificate expires. The default is
3
(OCSP certificates are usually renewed frequently).- algorithmstr, optional
Passed to
parse_hash_algorithm()
and defaults to CA_DIGEST_ALGORITHM.- passwordbytes, optional
The password to the CA as bytes, if its private key is encrypted.
- key_sizeint, optional
The key size of the private key, defaults to CA_DEFAULT_KEY_SIZE.
- key_type{“RSA”, “DSA”, “ECC”}, optional
The private key type to use, the default is
"RSA"
.- ecc_curvestr, optional
Passed to
parse_key_curve()
, defaults to the CA_DEFAULT_ECC_CURVE.- autogeneratedbool, optional
Set the “autogenerated” flag of the certificate.
True
by default, since this method is usually invoked in an automated cron-like fashion.
Return the AuthorityKeyIdentifier extension used in certificates signed by this CA.
-
get_crl
(expires=86400, algorithm=None, password=None, scope=None, counter=None, **kwargs)[source]¶ Generate a Certificate Revocation List (CRL).
The
full_name
andrelative_name
parameters describe how to retrieve the CRL and are used in the Issuing Distribution Point extension. The former defaults to thecrl_url
field, passNone
to not include the value. At most one of the two may be set.- Parameters
- expiresint
The time in seconds when this CRL expires. Note that you should generate a new CRL until then.
- algorithm
Hash
or str, optional The hash algorithm to use, passed to
parse_hash_algorithm()
. The default is to use CA_DIGEST_ALGORITHM.- passwordbytes, optional
Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted.
- scope{None, ‘ca’, ‘user’, ‘attribute’}, optional
What to include in the CRL: Use
"ca"
to include only revoked certificate authorities and"user"
to include only certificates orNone
(the default) to include both."attribute"
is reserved for future use and always produces an empty CRL.- counterstr, optional
Override the counter-variable for the CRL Number extension. Passing the same key to multiple invocations will yield a different sequence then what would ordinarily be returned. The default is to use the scope as the key.
- full_namelist of str or
GeneralName
, optional List of general names to use in the Issuing Distribution Point extension. If not passed, use
crl_url
if set.- relative_name
RelativeDistinguishedName
, optional Used in Issuing Distribution Point extension, retrieve the CRL relative to the issuer.
- Returns
- bytes
The CRL in the requested format.
-
property
max_pathlen
¶ The maximum pathlen for any intermediate CAs signed by this CA.
This value is either
None
, if this and all parent CAs don’t have apathlen
attribute, or anint
if any parent CA has the attribute.
-
name
¶ Human-readable name of the CA, only used for displaying the CA.
-
property
pathlen
¶ The
pathlen
attribute of theBasicConstraints
extension (either anint
orNone
).
-
property
root
¶ Get the root CA for this CA.
-
property
Creating CAs¶
Use CertificateAuthority.objects.init()
to create new certificate
authorities. The method has many options but is designed to provide defaults
that work in most cases:
>>> from django_ca.models import CertificateAuthority
>>> ca = CertificateAuthority.objects.init(
... name='ca', subject='/CN=ca.example.com',
... pathlen=1 # so we can create one level of intermediate CAs
... )
>>> ca
<CertificateAuthority: ca>
This CA will contain all properties and X509 extensions to be a fully functioning CA. To create an intermediate CA, simply pass the parent:
>>> child = CertificateAuthority.objects.init(
... name='child', subject='/CN=child.example.com',
... parent=ca)
>>> child.parent
<CertificateAuthority: ca>
>>> ca.children.all()
<CertificateAuthorityQuerySet [<CertificateAuthority: child>]>
Or to create a CA with all extensions that live CAs have, you can pass many more parameters:
>>> full = CertificateAuthority.objects.init(
... name='full', subject='/CN=full.example.com',
... parent=ca, # some extensions are only valid for intermediate CAs
... issuer_url='http://full.example.com/full.der',
... # this CA can only sign for *.com domains:
... name_constraints={'value': {'permitted': ['DNS:.com']}},
...
... # CRL/OCSP URLs for signed certificates. These can be changed later:
... crl_url=['http://full.example.com/full.crl', ],
... ocsp_url='http://full.example.com/ocsp',
...
... # CRL/OCSP/Issuer URLs for the CA. These are only meaningful for
... # intermediate CAs:
... ca_crl_url=['http://parent.example.com/parent.crl', ],
... ca_ocsp_url='http://parent.example.com/ocsp',
... ca_issuer_url='http://parent.example.com/parent.crt'
... )
There are some more parameters to configure how the CA will be signed:
>>> CertificateAuthority.objects.init(
... name='props', subject='/CN=child.example.com',
... algorithm='SHA256', # sha512 would be the default
... pathlen=3, # three levels of intermediate CAs allowed,
... password=b'foobar', # encrypt private key with this password
... key_size=4096, # key size for RSA keys - unused in this example
... key_type='ECC', # create an ECC private key
... ecc_curve='SECP256R1'
... )
<CertificateAuthority: props>
Here are all parameters for creating CAs:
-
CertificateAuthorityManager.
init
(name, subject, expires=None, algorithm=None, parent=None, default_hostname=None, pathlen=None, issuer_url=None, issuer_alt_name='', crl_url=None, ocsp_url=None, ca_issuer_url=None, ca_crl_url=None, ca_ocsp_url=None, name_constraints=None, password=None, parent_password=None, ecc_curve=None, key_type='RSA', key_size=None, extra_extensions=None, path='ca')[source]¶ Create a new certificate authority.
- Parameters
- namestr
The name of the CA. This is a human-readable string and is used for administrative purposes only.
- subjectdict or str or
Subject
Subject string, e.g.
"/CN=example.com"
orSubject("/CN=example.com")
. The value is actually passed toSubject
if it is not already an instance of that class.- expiresdatetime, optional
Datetime for when this certificate authority will expire, defaults to CA_DEFAULT_EXPIRES.
- algorithmstr or
HashAlgorithm
, optional Hash algorithm used when signing the certificate, passed to
parse_hash_algorithm()
. The default is the value of the CA_DIGEST_ALGORITHM setting.- parent
CertificateAuthority
, optional Parent certificate authority for the new CA. Passing this value makes the CA an intermediate authority.
- default_hostnamestr, optional
Override the url configured with CA_DEFAULT_HOSTNAME with a different hostname. Set to
False
to disable the hostname.- pathlenint, optional
Value of the path length attribute for the
BasicConstraints
extension.- issuer_urlstr
URL for the DER/ASN1 formatted certificate that is signing certificates.
- issuer_alt_name
IssuerAlternativeName
or str, optional IssuerAlternativeName used when signing certificates. If the value is not an instance of
IssuerAlternativeName
, it will be passed as argument to the constructor of the class.- crl_urllist of str, optional
CRL URLs used for certificates signed by this CA.
- ocsp_urlstr, optional
OCSP URL used for certificates signed by this CA. The default is no value, unless CA_DEFAULT_HOSTNAME is set.
- ca_issuer_urlstr, optional
URL for the DER/ASN1 formatted certificate that is signing this CA. For intermediate CAs, this would usually be the
issuer_url
of the parent CA.- ca_crl_urllist of str, optional
CRL URLs used for this CA. This value is only meaningful for intermediate CAs.
- ca_ocsp_urlstr, optional
OCSP URL used for this CA. This value is only meaningful for intermediate CAs. The default is no value, unless CA_DEFAULT_HOSTNAME is set.
- name_constraintslist of lists or
NameConstraints
List of names that this CA can sign and/or cannot sign. The value is passed to
NameConstraints
if the value is not already an instance of that class.- passwordbytes, optional
Password to encrypt the private key with.
- parent_passwordbytes, optional
Password that the private key of the parent CA is encrypted with.
- ecc_curvestr or EllipticCurve, optional
The elliptic curve to use for ECC type keys, passed verbatim to
parse_key_curve()
.- key_type: str, optional
The type of private key to generate, must be one of
"RSA"
,"DSA"
or"ECC"
, with"RSA"
being the default.- key_sizeint, optional
Integer specifying the key size, must be a power of two (e.g. 2048, 4096, …). Defaults to the CA_DEFAULT_KEY_SIZE, unused if
key_type="ECC"
.- extra_extensionslist of
cryptography.x509.Extension
ordjango_ca.extensions.Extension
, optional An optional list of additional extensions to add to the certificate.
- pathstr or pathlib.PurePath, optional
Where to store the CA private key (default
ca
).
- Raises
- ValueError
For various cases of wrong input data (e.g.
key_size
not being the power of two).- PermissionError
If the private key file cannot be written to disk.
Certificate¶
-
class
django_ca.models.
Certificate
(id, created, valid_from, expires, pub, cn, serial, revoked, revoked_date, revoked_reason, compromised, ca, csr, profile, autogenerated)[source]¶ -
property
bundle
¶ The complete certificate bundle. This includes all CAs as well as the certificates itself.
-
property
root
¶ Get the root CA for this certificate.
-
property
Manager methods¶
CertificateManager
is the default manager for
Certificate
, meaning you can access it
using Certificate.objects
, e.g.:
>>> from django_ca.models import Certificate
>>> Certificate.objects.create_cert(csr=csr, ca=ca, subject='/CN=example.com')
<Certificate: example.com>
-
class
django_ca.managers.
CertificateManager
(*args, **kwargs)[source]¶ -
create_cert
(ca, csr, csr_format=<Encoding.PEM: 'PEM'>, profile=None, autogenerated=None, **kwargs)[source]¶ Create and sign a new certificate based on the given profile.
- Parameters
- ca
CertificateAuthority
The certificate authority to sign the certificate with.
- csrstr or
CertificateSigningRequest
A valid CSR. If not already a
CertificateSigningRequest
, the format is given by thecsr_format
parameter.- csr_format
Encoding
, optional The format of the CSR. The default is
PEM
.- profilestr or
Profile
, optional The name of a profile or a manually created
Profile
instance. If not given, the profile configured by CA_DEFAULT_PROFILE is used.- autogeneratedbool, optional
Override the profiles
autogenerated
flag.- **kwargs
All other keyword arguments are passed to
Profiles.create_cert()
.
- ca
-
X509CertMixin¶
X509CertMixin
is a common base class to both
CertificateAuthority
and
Certificate
and provides many convenience
attributes.
-
class
django_ca.models.
X509CertMixin
(*args, **kwargs)[source]¶ The
AuthorityKeyIdentifier
extension, orNone
if it doesn’t exist.
-
extended_key_usage
¶ The
ExtendedKeyUsage
extension, orNone
if it doesn’t exist.
-
get_revocation_time
()[source]¶ Get the revocation time as naive datetime.
Note that this method is only used by cryptography>=2.4.
-
property
not_after
¶ Date/Time this certificate expires.
-
property
not_before
¶ Date/Time this certificate was created
-
subject_key_identifier
¶ The
SubjectKeyIdentifier
extension, orNone
if it doesn’t exist.
-
tls_feature
¶ The
TLSFeature
extension, orNone
if it doesn’t exist.
-
property
x509
¶ The underlying
cryptography.x509.Certificate
.