django_ca.models
- django-ca models¶
django-ca uses three classes, called “models” in Django terminology, to store everything in the database. They are the core classes for this project, if you want to use this project programmatically, you’ll have to use these classes:
CertificateAuthority is used to store certificate authorities.
Certificate is used to store certificates.
Finally, Watcher stores email addresses for who should be notified if certificates expire.
Note that both CertificateAuthority
and Certificate
inherit from
X509CertMixin
, which provides many common
convenience methods.
Certificate¶
- class django_ca.models.Certificate(*args, **kwargs)[source]¶
Model representing a x509 Certificate.
- property bundle¶
The complete certificate bundle. This includes all CAs as well as the certificates itself.
- property root¶
Get the root CA for this certificate.
Manager methods¶
CertificateManager
is the default manager for
Certificate
, meaning you can access it
using Certificate.objects
, e.g.:
>>> csr
<builtins.CertificateSigningRequest object at ...>
>>> from django_ca.models import Certificate
>>> Certificate.objects.create_cert(csr=csr, ca=ca, subject='/CN=example.com')
<Certificate: example.com>
- class django_ca.managers.CertificateManager[source]¶
Model manager for the Certificate model.
- create_cert(ca, csr, profile=None, autogenerated=None, **kwargs)[source]¶
Create and sign a new certificate based on the given profile.
- Parameters
- ca
CertificateAuthority
The certificate authority to sign the certificate with.
- csr
CertificateSigningRequest
The certificate signing request to use when signing a certificate. Passing a
str
orbytes
is deprecated and will be removed in django-ca 1.20.0.- profile
Profile
, optional The name of a profile or a manually created
Profile
instance. If not given, the profile configured by CA_DEFAULT_PROFILE is used.- autogeneratedbool, optional
Override the profiles
autogenerated
flag.- **kwargs
All other keyword arguments are passed to
Profiles.create_cert()
.
- ca
X509CertMixin¶
X509CertMixin
is a common base class to both
CertificateAuthority
and
Certificate
and provides many convenience
attributes.
- class django_ca.models.X509CertMixin(*args, **kwargs)[source]¶
Mixin class with common attributes for Certificates and Certificate Authorities.
- property algorithm¶
A shortcut for
signature_hash_algorithm
.
- authority_information_access¶
The
AuthorityInformationAccess
extension orNone
if not present.
- authority_key_identifier¶
The
AuthorityKeyIdentifier
extension orNone
if not present.
- basic_constraints¶
The
BasicConstraints
extension orNone
if not present.
- property bundle_as_pem¶
Get the bundle as PEM.
- certificate_policies¶
The
CertificatePolicies
extension orNone
if not present.
- crl_distribution_points¶
The
CRLDistributionPoints
extension orNone
if not present.
- property distinguished_name¶
The certificates distinguished name formatted as string.
- extended_key_usage¶
The
ExtendedKeyUsage
extension orNone
if not present.
- extensions¶
List of all extensions for this certificate.
- freshest_crl¶
The
FreshestCRL
extension orNone
if not present.
- get_compromised_time()[source]¶
Return when this certificate was compromised as a naive datetime.
Returns
None
if the time is not known or if the certificate is not revoked.
- get_digest(algo)[source]¶
Get the fingerprint for this certificate.
Deprecated since version 1.21.0: Use
get_fingerprint()
instead.
- get_filename(ext, bundle=False)[source]¶
Get a filename safe for any file system and OS for this certificate based on the common name.
- Parameters
- extstr
The filename extension to use (e.g.
"pem"
).- bundlebool, optional
Adds “_bundle” as suffix.
- get_revocation()[source]¶
Get the RevokedCertificate instance for this certificate for CRLs.
This function is just a shortcut for
RevokedCertificateBuilder
.See also
- Returns
- Raises
- ValueError
If the certificate is not revoked.
- property hpkp_pin¶
The HPKP public key pin for this certificate.
Inspired by https://github.com/luisgf/hpkp-python/blob/master/hpkp.py.
- inhibit_any_policy¶
The
InhibitAnyPolicy
extension orNone
if not present.
- property issuer¶
The certificate issuer field as
Name
.Changed in version 1.20.0: This property was a
Subject
beforedjango-ca==1.20.0
.
- issuer_alternative_name¶
The
IssuerAlternativeName
extension orNone
if not present.
- property jwk¶
Get a JOSE JWK public key for this certificate.
- name_constraints¶
The
NameConstraints
extension orNone
if not present.
- property not_after¶
Date/Time this certificate expires.
- property not_before¶
Date/Time this certificate was created
- ocsp_no_check¶
The
OCSPNoCheck
extension orNone
if not present.
- policy_constraints¶
The
PolicyConstraints
extension orNone
if not present.
- precert_poison¶
The
PrecertPoison
extension orNone
if not present.
- precertificate_signed_certificate_timestamps¶
The
PrecertificateSignedCertificateTimestamps
extension orNone
if not present.
- revoke(reason=ReasonFlags.unspecified, compromised=None)[source]¶
Revoke the current certificate.
This function emits the
pre_revoke_cert
andpost_revoke_cert
signals.- Parameters
- reason
ReasonFlags
, optional The reason for revocation, defaults to
ReasonFlags.unspecified
.- compromiseddatetime, optional
When this certificate was compromised.
- reason
- property subject¶
The certificate subject field as
Name
.Changed in version 1.20.0: This property was a
Subject
beforedjango-ca==1.20.0
.
- subject_alternative_name¶
The
SubjectAlternativeName
extension orNone
if not present.
- subject_key_identifier¶
The
SubjectKeyIdentifier
extension orNone
if not present.
- tls_feature¶
The
TLSFeature
extension orNone
if not present.
- update_certificate(value)[source]¶
Update this instance with data from a
cryptography.x509.Certificate
.This function will also populate the cn, serial, `expires and valid_from fields.
Watchers¶
ACME¶
- class django_ca.models.AcmeAccount(*args, **kwargs)[source]¶
Implements an ACME account object.
See also
- property serial¶
Serial of the CA for this account.
- set_kid(request)[source]¶
Set the ACME kid based on this accounts CA and slug.
Note that slug and ca must be already set when using this method.
- property usable¶
Boolean if the account is currently usable.
An account is usable if the terms of service have been agreed, the status is “valid” and the associated CA is usable.
- class django_ca.models.AcmeOrder(*args, **kwargs)[source]¶
Implements an ACME order object.
See also
- property acme_finalize_url¶
Get the ACME “finalize” URL path for this order.
- property acme_url¶
Get the ACME URL path for this order.
- add_authorizations(identifiers)[source]¶
Add
AcmeAuthorization
instances for the given identifiers.Note that this method already adds the account authorization to the database. It does not verify if it already exists and will raise an IntegrityError if it does.
Example:
>>> from acme import messages >>> identifier = messages.Identifier(typ=messages.IDENTIFIER_FQDN, value='example.com') >>> order.add_authorizations([identifier])
- Parameters
- identifierslist of
acme.messages.Identifier
The identifiers for this for this order.
- identifierslist of
- Returns
- list ofpy:class:~django_ca.models.AcmeAuthorization
- property serial¶
Serial of the CA for this order.
- property usable¶
Boolean defining if an order is “usable”, meaning it can be used to issue a certificate.
An order is usable if it is in the “pending” status, has not expired and the account is usable.
- class django_ca.models.AcmeAuthorization(*args, **kwargs)[source]¶
Implements an ACME authorization object.
See also
- property account¶
Account that this authorization belongs to.
- property acme_url¶
Get the ACME URL path for this account authorization.
- property expires¶
When this authorization expires.
- get_challenges()[source]¶
Get list of
AcmeChallenge
objects for this authorization.Note that challenges will be created if they don’t exist.
- property identifier¶
Get ACME identifier for this object.
- Returns
- identifier
acme.messages.Identifier
- identifier
- property serial¶
Serial of the CA for this authorization.
- property subject_alternative_name¶
Get the domain for this challenge as prefixed SubjectAlternativeName.
This method is intended to be used when creating the
SubjectAlternativeName
extension for a certificate to be signed.
- property usable¶
Boolean defining if an authentication can still can be used in order validation.
An order is usable if it is in the “pending” or “invalid” status, the order is usable. An authorization that is in the “invalid” status is eligible to be retried by the client.
- class django_ca.models.AcmeChallenge(*args, **kwargs)[source]¶
Implements an ACME Challenge Object.
See also
- property account¶
Account that this challenge belongs to.
- property acme_challenge¶
Challenge as ACME challenge object.
- Returns
acme.challenges.Challenge
The acme representation of this class.
- property acme_url¶
Get the ACME URL path for this challenge.
- property acme_validated¶
Timestamp when this challenge was validated.
This property is a wrapper around the validated field. It always returns None if the challenge is not marked as valid (even if it had a timestamp), and the timestamp will always have a timezone, even if
USE_TZ=False
.
- property encoded_token¶
Token in base64url encoded form.
- property expected¶
Expected value for the challenge based on its type.
- get_challenge(request)[source]¶
Get the ACME challenge body for this challenge.
- Returns
acme.messages.ChallengeBody
The acme representation of this class.
- property serial¶
Serial of the CA for this challenge.
- property usable¶
Boolean defining if an challenge is “usable”, meaning it still can be used in order validation.
A challenge is usable if it is in the “pending” or “invalid status and the authorization is usable.
- class django_ca.models.AcmeCertificate(*args, **kwargs)[source]¶
Intermediate model for certificates to be issued via ACME.
- property acme_url¶
Get the ACME URL path for this certificate.
- parse_csr()[source]¶
Load the CSR into a cryptography object.
- Returns
CertificateSigningRequest
The CSR as used by cryptography.
- property usable¶
Boolean defining if this instance is “usable”, meaning we can use it to issue a certificate.
An ACME certificate is considered usable if no actual certificate has yet been issued, the order is not expired and in the “processing” state.