django_ca.models
- django-ca models¶
django-ca uses three classes, called “models” in Django terminology, to store everything in the database. They are the core classes for this project, if you want to use this project programmatically, you’ll have to use these classes:
CertificateAuthority is used to store certificate authorities.
Certificate is used to store certificates.
Finally, Watcher stores email addresses for who should be notified if certificates expire.
Note that both CertificateAuthority
and Certificate
inherit from
X509CertMixin
, which provides many common
convenience methods.
Certificate¶
- class django_ca.models.Certificate(*args, **kwargs)[source]¶
Model representing a x509 Certificate.
- property bundle: List[X509CertMixin]¶
The complete certificate bundle. This includes all CAs as well as the certificates itself.
- property root: CertificateAuthority¶
Get the root CA for this certificate.
Manager methods¶
CertificateManager
is the default manager for
Certificate
, meaning you can access it
using Certificate.objects
, e.g.:
>>> csr
<...CertificateSigningRequest object at ...>
>>> from django_ca.models import Certificate
>>> Certificate.objects.create_cert(csr=csr, ca=ca, subject=x509_name('/CN=example.com'))
<Certificate: example.com>
- class django_ca.managers.CertificateManager(*args, **kwargs)[source]¶
Model manager for the Certificate model.
- create_cert(ca: CertificateAuthority, csr: CertificateSigningRequest, profile: Profile | None = None, autogenerated: bool | None = None, **kwargs: Any) Certificate [source]¶
Create and sign a new certificate based on the given profile.
- Parameters:
- ca
CertificateAuthority
The certificate authority to sign the certificate with.
- csr
CertificateSigningRequest
The certificate signing request to use when signing a certificate. Passing a
str
orbytes
is deprecated and will be removed in django-ca 1.20.0.- profile
Profile
, optional The name of a profile or a manually created
Profile
instance. If not given, the profile configured by CA_DEFAULT_PROFILE is used.- autogeneratedbool, optional
Override the profiles
autogenerated
flag.- **kwargs
All other keyword arguments are passed to
Profiles.create_cert()
.
- ca
X509CertMixin¶
X509CertMixin
is a common base class to both
CertificateAuthority
and
Certificate
and provides many convenience
attributes.
- class django_ca.models.X509CertMixin(*args, **kwargs)[source]¶
Mixin class with common attributes for Certificates and Certificate Authorities.
- property algorithm: SHA224 | SHA256 | SHA384 | SHA512 | SHA3_224 | SHA3_256 | SHA3_384 | SHA3_512 | None¶
A shortcut for
signature_hash_algorithm
.
- get_compromised_time() datetime | None [source]¶
Return when this certificate was compromised as a naive datetime.
Returns
None
if the time is not known or if the certificate is not revoked.
- get_filename(ext: str, bundle: bool = False) str [source]¶
Get a filename safe for any file system and OS for this certificate based on the common name.
- Parameters:
- extstr
The filename extension to use (e.g.
"pem"
).- bundlebool, optional
Adds “_bundle” as suffix.
- get_fingerprint(algorithm: HashAlgorithm) str [source]¶
Get the digest for a certificate as string, including colons.
- get_revocation() RevokedCertificate [source]¶
Get the RevokedCertificate instance for this certificate for CRLs.
This function is just a shortcut for
RevokedCertificateBuilder
.See also
- Returns:
- Raises:
- ValueError
If the certificate is not revoked.
- get_revocation_reason() ReasonFlags | None [source]¶
Get the revocation reason of this certificate.
- property hpkp_pin: str¶
The HPKP public key pin for this certificate.
Inspired by https://github.com/luisgf/hpkp-python/blob/master/hpkp.py.
- property jwk: JWKRSA | JWKEC¶
Get a JOSE JWK public key for this certificate.
Note
josepy (the underlying library) does not currently support loading Ed448 or Ed25519 public keys. This property will raise ValueError if called for a public key based on those algorithms. The issue is addressed in this pull request.
- property not_after: datetime¶
A timezone-aware datetime representing the end of the validity period.
- property not_before: datetime¶
A timezone-aware datetime representing the beginning of the validity period.
- revoke(reason: ReasonFlags = ReasonFlags.unspecified, compromised: datetime | None = None) None [source]¶
Revoke the current certificate.
This function emits the
pre_revoke_cert
andpost_revoke_cert
signals.- Parameters:
- reason
ReasonFlags
, optional The reason for revocation, defaults to
ReasonFlags.unspecified
.- compromiseddatetime, optional
When this certificate was compromised.
- reason
- sorted_extensions¶
List of extensions sorted by their human-readable name.
This property is used for display purposes, where a reproducible output is desired.
- update_certificate(value: Certificate) None [source]¶
Update this instance with data from a
cryptography.x509.Certificate
.This function will also populate the cn, serial, `expires and valid_from fields.
- x509_extensions¶
All extensions of this certificate in a dict.
The key is the OID for the respective extension, allowing easy to look up a particular extension.
Watchers¶
ACME¶
- class django_ca.models.AcmeAccount(*args, **kwargs)[source]¶
Implements an ACME account object.
See also
- class django_ca.models.AcmeOrder(*args, **kwargs)[source]¶
Implements an ACME order object.
See also
- add_authorizations(identifiers: Iterable[Identifier]) List[AcmeAuthorization] [source]¶
Add
AcmeAuthorization
instances for the given identifiers.Note that this method already adds the account authorization to the database. It does not verify if it already exists and will raise an IntegrityError if it does.
Example:
>>> from acme import messages >>> identifier = messages.Identifier(typ=messages.IDENTIFIER_FQDN, value='example.com') >>> order.add_authorizations([identifier])
- Parameters:
- identifierslist of
acme.messages.Identifier
The identifiers for this order.
- identifierslist of
- Returns:
- list of
AcmeAuthorization
- list of
- class django_ca.models.AcmeAuthorization(*args, **kwargs)[source]¶
Implements an ACME authorization object.
See also
- property account: AcmeAccount¶
Account that this authorization belongs to.
- property general_name: GeneralName¶
Get the
GeneralName
instance for this instance.
- get_challenges() List[AcmeChallenge] [source]¶
Get list of
AcmeChallenge
objects for this authorization.Note that challenges will be created if they don’t exist.
- property identifier: Identifier¶
Get ACME identifier for this object.
- Returns:
- identifier
acme.messages.Identifier
- identifier
- class django_ca.models.AcmeChallenge(*args, **kwargs)[source]¶
Implements an ACME Challenge Object.
See also
- property account: AcmeAccount¶
Account that this challenge belongs to.
- property acme_challenge: KeyAuthorizationChallenge¶
Challenge as ACME challenge object.
- Returns:
acme.challenges.Challenge
The acme representation of this class.
- property acme_validated: datetime | None¶
Timestamp when this challenge was validated.
This property is a wrapper around the validated field. It always returns None if the challenge is not marked as valid (even if it had a timestamp), and the timestamp will always have a timezone, even if
USE_TZ=False
.
- get_challenge(request: HttpRequest) ChallengeBody [source]¶
Get the ACME challenge body for this challenge.
- Returns:
acme.messages.ChallengeBody
The acme representation of this class.
- class django_ca.models.AcmeCertificate(*args, **kwargs)[source]¶
Intermediate model for certificates to be issued via ACME.
- parse_csr() CertificateSigningRequest [source]¶
Load the CSR into a cryptography object.
- Returns:
CertificateSigningRequest
The CSR as used by cryptography.