Custom settingsΒΆ
You can use any of the settings understood by Django and django-ca provides some of its own settings.
From Djangos settings, you especially need to configure DATABASES
,
SECRET_KEY
, ALLOWED_HOSTS
and STATIC_ROOT
.
All settings used by django-ca start with the CA_
prefix. Settings are
also documented at ca/ca/localsettings.py.example
(view on git).
- CA_CRL_PROFILES
Default:
{ 'user': { 'algorithm': 'SHA512', 'expires': 86400, 'scope': 'user', 'encodings': ['DER', ], }, 'ca': { 'algorithm': 'SHA512', 'expires': 86400, 'scope': 'ca', 'encodings': ['DER', ], }, }
A set of CRLs to create using automated tasks.
- CA_CUSTOM_APPS
Default:
[]
This setting is only used when you use django-ca as a standalone project to let you add custom apps to the project, e.g. to add Signals.
The list gets appended to the standard
INSTALLED_APPS
setting. If you need more control, you can always override that setting instead.
- CA_DEFAULT_ECC_CURVE
Default:
"SECP256R1"
The default elliptic curve used for generating CA private keys when ECC is used.
- CA_DEFAULT_EXPIRES
Default:
730
The default time, in days, that any signed certificate expires.
- CA_DEFAULT_HOSTNAME
Default:
None
If set, the default hostname will be used to set generic URLs for the OCSP responder, assuming that
django_ca
itself is used as OCSP responder. This setting must not include the protocol, as OCSP always uses HTTP (not HTTPS) and this setting might be used for other values in the future.Example value:
"ca.example.com"
.
- CA_DEFAULT_KEY_SIZE
Default:
4096
The default key size for newly created CAs (not used for CAs based on ECC).
- CA_DEFAULT_PROFILE
Default:
webserver
The default profile to use.
- CA_DEFAULT_SUBJECT
Default:
{}
The default subject to use. The keys of this dictionary are the valid fields in X509 certificate subjects. Example:
CA_DEFAULT_SUBJECT = { 'C': 'AT', 'ST': 'Vienna', 'L': 'Vienna', 'O': 'HTU Wien', 'OU': 'Fachschaft Informatik', 'emailAddress': 'user@example.com', }
- CA_DIGEST_ALGORITHM
Default:
"sha512"
The default digest algorithm used to sign certificates. You may want to use
"sha256"
for older (pre-2010) clients. Note that this setting is also used by theinit_ca
command, so if you have any clients that do not understand sha512 hashes, you should change this beforehand.
- CA_DIR
Default:
"files/"
Where the root certificate is stored. The default is a
files
directory in the same location as yourmanage.py
file.
- CA_FILE_STORAGE
Default:
'django.core.files.storage.FileSystemStorage'
Default storage backend for files created by django-ca. The default is the same as the default for
DEFAULT_FILE_STORAGE
, so django-ca will still use local filesystem storage even if you configure a different storage backend inDEFAULT_FILE_STORAGE
. The default uses CA_FILE_STORAGE_KWARGS to store files in a different location, since the default (MEDIA_ROOT
) is commonly used to upload user-generated files that are exposed to the web by the webserver.
- CA_FILE_STORAGE_KWARGS
Default:
{'location': 'files/', 'file_permissions_mode': 0o600, 'directory_permissions_mode': 0o700}
Add any arguments to the storage backend configured in CA_FILE_STORAGE.
- CA_NOTIFICATION_DAYS
Default:
[14, 7, 3, 1, ]
Days before expiry that certificate watchers will receive notifications. By default, watchers will receive notifications 14, seven, three and one days before expiry.
- CA_OCSP_URLS
Default:
{}
Configuration for OCSP responders. See Run a OCSP responder for more information.
- CA_PASSWORDS
Default:
{}
A dictonary configuring passwords for the private keys of CAs. This setting is required if you create a CA with an encrypted private key and want to automatically create CRLs and OCSP keys.
- CA_PROFILES
Default:
{}
Add new profiles or change exising ones. Please see Profiles for more information on profiles.
- CA_USE_CELERY
Default:
None
Set to
True
to force django-ca to use Celery or toFalse
to force not using it. The default is to use Celery if it is installed.