Changelogs » Django-ca

PyUp Safety actively tracks 268,179 Python packages for vulnerabilities and notifies you when to upgrade.



* This is a bugfix release for 1.16.0 that mostly addresses CRL validation issues.
  * Add support for cryptography 3.1.
  * Fix OCSP, Issuer and CRL URLs for intermediate CAs that are not a *direct* child of a root CA.
  * Fix AuthorityKeyIdentifier in CRLs for intermediate CAs (see 65).
  * Properly handle CommonNames which are not parseable as SubjectAlternativeName in admin interface (see 62).
  * Minor documentation updates (see 63)
  * Fix error in `` notify_expiring_certs`` in non-timezone aware setups.
  * Override terminal size when running test cases, otherwise the output of argparse depends on the terminal size, leading to test failures on large terminals.


* Add support for cryptography 2.9 and 3.0.
  * Add support for Django 3.1.
  * The docker image is now based on Alpine Linux 3.12.
  * Update `redis` to version 6 and nginx version 18 when using docker-compose
  * Finally update Sphinx since [numpydoc215]( is finally fixed.
  * The profile used to generate the certificate is now stored in the database.
  * It is no longer optional to select a profile in the admin interface when creating a certificate.
  * Certificates have a new `autogenerated` boolean flag, which is `True` for automatically generated OCSP  certificates.
  * The admin interface will list only valid and non-autogenerated certificates by default.
  Backwards incompatible changes
  * Drop support for Django 1.11 and 2.1.
  * Drop support for Celery 4.0 and 4.1.
  * Drop support for OpenSSL 1.1.0f and earlier. This affects Debian oldoldstable (jessie), Ubuntu 16.04 and Alpine 3.8.
  * `Certificate.objects.init()` and `profiles.get_cert_profile_kwargs()` were removed. Use [Certificate.objects.create_cert()]( instead.
  Deprecation notices
  * This is the last release to support Python 3.5.
  * This is the last release to support cryptography 2.7.
  * This is the last release to support Celery 4.2.
  * This is the last release to support idna 2.8.
  * The Django project included in this git repository will stop loading `` files in  `django-ca>=1.18.0`.
  * The format for the `CA_PROFILES` setting has changed in [1.14.0]( Support for the old format will be removed in `django-ca==1.17.0`. Please see the [migration instructions]( for what to change.


* Add support for Django 3.0.
  * The docker image is now based on Alpine Linux 3.11.
  * The default project now supports configuring django-ca using YAML configuration files. Configuration using `` is now deprecated and will be removed in `django-ca>=1.18.0`.
  * Start supporting Celery tasks to allow running tasks in a distributed, asynchronous task queue. Some tasks will automatically be run with Celery if it is enabled. Celery is used automatically if installed, but can always be disabled by setting `CA_USE_CELERY=False`.
  * Drop dependency `six` (since we no longer support Python 2.7).
  * Allow caching of CRLs via ` cache_crls`.
  * The ` init_ca` command will now automatically cache CRLs and generate OCSP keys for the new CA.
  * Support `POSTGRES_*` and `MYSQL_*` environment variables to configure database access credentials in the same way as the Docker images for PostgreSQL and MySQL do.
  * There now are [setuptools extras]( for `redis` and `celery`, so you can install all required dependencies at once.
  * Add `CA_PASSWORDS` setting to allow you to set the passwords for CAs with encrypted private keys. This is required for automated tasks where the private key is required.
  * Add `CA_CRL_PROFILES` setting to configure automatically generated CRLs. Note that this setting will likely be moved to a more general setting for automatic tasks in future releases.
  * `django_ca.extensions.AuthorityKeyIdentifier` now also supports issuers and serials.
  * `django_ca.utils.parse_general_name()` now returns a `cryptography.x509.GeneralName` unchanged, but throws an error if the name isn't a `str` otherwise.
  * New class `django_ca.utils.GeneralNameList` for extensions that store a list of general names.
  * Add support for the `django_ca.extensions.FreshestCRL` extension.
  * Store CA private keys in the `ca/` subdirectory by default, the directory can be configured using ` init_ca --path=...`.
  Backwards incompatible changes
  * Drop support for Python 2.7.
  * Drop support for cryptography 2.5 and 2.6.
  * Drop support for Alpine 3.8 (because PostgreSQL and MySQL depend on libressl).
  * Removed the ` migrate_ca` command. If you upgrade from before [1.12.0](, upgrade to [1.14.0]( first and [update file storage](
  * Removed the `ca_crl` setting in `django_ca.views.CertificateRevocationListView`, use `scope` instead.
  * Add a [docker-compose.yml]( file to quickly launch a complete service stack.
  * Add support for Celery, MySQL, PostgreSQL and Redis.
  * Change the working directory to `/usr/src/django-ca/ca`, so can now be invoked using `python` instead of `python ca/`.
  * Add a Celery startup script (`./`).
  * Add a nginx configuration template at `nginx/default.template`.
  * Static files are now included in a "collected" form, so they don't have to collected on startup.
  * Generate OCSP keys and cache CRLs on startup.
  * Use [BuildKit]( to massively speed up the Docker image build.
  * Fix generation of CRLs and OCSP keys for CAs with a DSA private key.
  * Fix storing an empty list of CRL URLs in some corner cases (when the function receives an empty list).
  * Fix naming CAs via serial on the command line if the serial starts with a zero.
  * Consistently style serials in a monospace font in admin interface.
  * The `ocsp` profile used for OCSP keys no longer copies the CommonName (which is the same as in the CA) to to the SubjectAlternativeName extension. The CommonName is frequently a human-readable name in CAs.
  Deprecation notices
  * This is the last release to support Django 1.11 and 2.1.
  * The Django project included in this git repository will stop loading `` files in `django-ca>=1.18.0`.
  * `Certificate.objects.init()` and `django_ca.profiles.get_cert_profile_kwargs` were deprecated in [1.14.0]( and will be removed in `django-ca==1.16.0`. Use `Certificate.objects.create_cert()` instead.
  * The format for the `CA_PROFILES` setting has changed in [1.14.0]( Support for the old format will be removed in `django-ca==1.17.0`. Please see the [migration instructions]( for what to change.


* `regenerate_ocsp_keys` now has a quiet mode and only generates keys where the CA private key is available.
  * Minor changes to make the release compatible with Django 3.0a1.
  * Introduce a new, more flexible format for the The format of the [CA_PROFILES]( setting. The new [Profiles]( page provides more information and [migration instructions](
  * New dependency: [six](, since Django 3.0 no longer includes it.
  * New dependency: [asn1crypto](, since cryptography no longer depends on it.
  * Serials are now zero-padded when output so that the last element always consists of two characters.
  * More consistently output serials with colons, use a monospace font in the admin interface.
  * Fix profile selection in the admin interface.
  * Fix display of values from CSR in the admin interface.
  * Add a copy-button next to values from the CSR to enable easy copy/paste from the CSR.
  * Test suite now includes Selenium tests for all JavaScript functionality.
  * ` coverage` can now output a text summary using `--format=text`.
  Backwards incompatible changes
  * Drop support for cryptography 2.3 and 2.4.
  * Drop support for idna 2.7.
  * Extensions now always expect a dict or a cryptography extension as a value.  Anything else was unused in practice.
  * [KeyUsage](, [ExtendedKeyUsage]( and [TLSFeature]( now behave like an ordered set and support all operators that a set does.
  * Running an OCSP responder using `oscrypto`/`ocspbuilder` is no longer supported.
  * [KeyUsage]( is now marked as critical by default.
  * [ExtendedKeyUsage]( now supports the `anyExtendedKeyUsage` OID.
  Deprecation notices
  * This is the last release to support Python 2.7.
  * This is the last release to support cryptography 2.5 and 2.6.
  * This is the last release to be tested with Alpine 3.7.
  * This is the last release to support [updating CA private keys to the Filestorage API]( `python migrate_ca` will be removed in the next release.
  * This will be the last release to support the `ca_crl` setting in [CertificateRevocationListView](
  * [Certificate.objects.init()]( has been deprecated in favor of [Certificate.objects.create_cert()]( The old method will be removed in `django-ca==1.16`.
  * [get_cert_profile_kwargs()]( was only used by [init()]( and will  thus also be removed in `django-ca==1.16`.
  * The old format for `CA_PROFILES` will be supported until `django-ca==1.16`. Please see [Update from django-ca<=1.13]( for migration instructions.


* Add support for cryptography 2.7.
  * Moved ` recreate_fixtures` to ``.
  * Moved all other extra `` commands to `` to remove clutter.
  * Move `fab init_demo` to ` init-demo`.
  * Use OpenSSL instead of LibreSSL in Dockerfile to enable testing for Alpine 3.7. The cryptography  documentation also [suggests]( OpenSSL.
  * The Fabric file has been removed.
  * Remove the `CA_PROVIDE_GENERIC_CRL` setting, the default URL configuration now includes it.
  * The docker image is now based on Alpine Linux 3.10.
  * **BACKWARDS INCOMPATIBLE:** Drop support for cryptography 2.2.
  * **BACKWARDS INCOMPATIBLE:** Drop support for idna 2.6.
  Deprecation Notices
  * This is the last release to support cryptography 2.3 and 2.4.
  * This is the last release to support idna 2.7.
  * This is the last release to support OCSP using `oscrypto`/`ocspbuilder`.
  * `CertificateRevocationListView.ca_cr` is deprecated in favor of the `scope` parameter. If you have set `ca_crl=True` just set `scope="ca"` instead.
  * A new more extendable format for the [CA_PROFILES]( setting will be introduced in 1.14.0. As a result, extensions will no longer support instantiation from lists or strings, so avoid usage whereever you can.
  * Implement the [CRLDistributionPoints]( extension and [CertificatePolicies]( extension.
  * Add the `ipsecEndSystem`, `ipsecTunnel` and `ipsecUser` extended key usage types. These are actually very rare and only occur in the "TrustID Server A52" CA.
  * Extensions now consistently serialize to dictionaries.
  Command-line interface
  * The `view_ca` command will now display the full path to the private key, if possible.
  * The `migrate_ca` command now has a `--dry` parameter and has a updated help texts.
  * The new `regenerate_ocsp_keys` command allows you to automatically generate OCSP keys that are used by the new default OCSP views.
  Python API
  * Add the `root` property to CAs and certificates returning the root Certificate Authority.
  * [sign_cert()]( now also accepts a [CertificateSigningRequest]( as `csr` value.
  * Add the `issuer_url`, `crl_url`, `ocsp_url` and `issuer_alternative_name` parameter to [sign_cert()]( to allow overriding or disabling the default values from the CA. This can also be used to pass extensions that do not just contain the URL using the `extra_extensions` parameter.
  * Add the [get_crl()]( function to get a CRL for the CA.
  * Add the [generate_ocsp_key()]( function to generate OCSP keys
  that are automatically picked up by the generic OCSP views.
  * Both [CertificateAuthority]( and [Certificate]( now have a `root` property pointing to the Root CA.
  * The [CA_DEFAULT_HOSTNAME]( setting is now used to set generic OCSP urls by default.
  * The `dump_ocsp_index` management command now excludes certificates expired for more then a day or are not yet valid.
  * Issued CRLs now confirm to [RFC 5280](
  * Add the [CRL Number]( extension.
  * Add the [Authority Key Identifier]( extension.
  * Add the [Issuing Distribution Point]( extension. This extension requires that you use `cryptography>=2.5`.
  * Add support for setting an Invalidity Date (see [RFC 5280, 5.3.2]( for CRLs, indicating when the certificate was compromised.
  * CRL entries will no longer include a [Reason Code]( if the reason is unspecified (recommended in RFC 5280).
  * Expose an API for creating CRLs via [CertificateAuthority.get_crl()](


* Fix traceback when a certificate that does not exist is viewed in the admin interface.
  * Add support cryptography 2.5 and 2.6.
  * Start using [Django storage backends]( for files used by django-ca. This allows you to store files on a shared storage system (e.g. one from [django-storages]( to support a redundant setup.
  * Add support for `PrecertPoison` and `OCSPNoCheck` extensions.
  * Implement the `PrecertificateSignedCertificateTimestamps` extension, currently can only be used for reading existing certificates.
  * Optimize PrecertificateSignedCertificateTimestamps in Django admin view.
  * Make sure that all extensions are always hashable.
  * Switch Docker image to [Alpine Linux 3.9](>).
  * **BACKWARDS INCOMPATIBLE:** Drop support for Python 3.4.
  * **BACKWARDS INCOMPATIBLE:** Drop support for Django 2.0.
  * **BACKWARDS INCOMPATIBLE:** Drop support for cryptography 2.1.
  * **DEPRECATION NOTICE:** This is the last release to support cryptography 2.2.
  * **DEPRECATION NOTICE:** This is the last release to support idna 2.6.
  Django File storage API
  **django-ca** now uses the [File storage API]( to store CA private keys as well as files configured for OCSP views. This allows you to use different storage backends (e.g. from [django-storages]( to store files on a filesystem shared between different servers, e.g. to provide a redundant setup.
  **NOTE:** The switch does require some manual intervention when upgrading. The old way of storing files is still supported and will continue to work until version 1.14. Please see the [upgrade notes]( for information on how to upgrade.
  * Use file storage API for reading/writing private keys of CAs.
  * Use file storage API for reading the responder key and certificate for OCSP.
  * New settings [CA_FILE_STORAGE]( and [CA_FILE_STORAGE_KWARGS]( to configure file storage.
  * Reimplement OCSP using cryptography, used only if `cryptography>=2.4` is installed.
  * `django_ca.views.OCSPBaseView.responder_key` may now also be a relative path to be used with the Django storage system.
  * `django_ca.views.OCSPBaseView.responder_cert` may now also be a relative path to be used with the Django storage system.
  * `django_ca.views.OCSPBaseView.responder_cert` may now also be a pre-loaded certificate. If you still use `cryptography<2.4` use a `oscrypto.asymmetric.Certificate`, for newer versions you must use a `cryptography.x509.Certificate`.
  * Fix log output string interpolation issue in OCSP responder.


* Remove colons from CA private keys (fixes 29).
  * Filenames for downloading certificates are based on the CommonName (fixes 53).
  * Fix certificate bundle order (fixes 55).
  * Management commands `dump_ca` and `dump_cert` can now dump whole certificate bundles.
  * New setting [CA_DEFAULT_KEY_SIZE]( to configure the default key size for new CAs.
  * Fix display of the NameConstraints extension in the admin interface.
  * Further optimize the Docker image size (~235MB -> ~140MB).
  Deprecation Notices
  This release will be the last release to support some software versions:
  * This will be the last release that supports for Python 3.4 (see [Status of Python branches](
  * This will be the last release that supports for Django 2.0 (see [Supported Versions](
  * This will be the last release that supports cryptography 2.1.
  Python API
  * **BACKWARDS INCOMPATIBLE:** Renamed the `subjectAltName` parameter of [Certificate.objects.init()]( to `subject_alternative_name` to be consistent with other extensions.
  * Document how to use the `name_constraints` parameter in [CertificateAuthority.objects.init()](
  * Extensions can now always be passed as [django_ca.extensions.Extension]( subclass or as any value accepted by the constructor of the specific class.
  * Add ability to add any custom additional extension using the `extra_extensions` parameter.
  * [django_ca.subject.Subject]( now implements every `dict` method.
  * The [pre_issue_cert]( signal will now receive normalized values.
  * The [pre_issue_cert]( signal is only invoked after all parameters are verified.
  * Implement the [AuthorityInformationAccess](, [BasicConstraints](, [IssuerAlternativeName](, [SubjectAlternativeName]( and [NameConstraints]( extensions.
  * Add cryptography 2.4.2 to the test-suite.
  * Add the `docker_test` command to test the image using various alpine-based images.
  * Test for certificates that are not yet valid.
  * The child CA used for testing now contains more extensions.
  * Freeze time in some test cases to avoid test failures when certificates eventually expire.
  * Test some documentation pages, to make sure they are actually correct.


* New dependency: [django-object-actions](
  * Add ability to resign existing certificates.
  * Management command `list_cas` now optionally supports a tree view.
  * Use more consistent naming for extensions throughout the code and documentation.
  * Renamed the `--tls-features` option of the `sign_cert` command to `--tls-feature`, in line with the actual name of the extension.
  * Allow the `TLSFeature` extension in profiles.
  * Add link in the admin interface to easily download certificate bundles.
  * Support ECC private keys for new Certificate Authorities.
  * Store CA private keys in the more secure [PKCS8 format](
  * The Certificate change view now has a second "Revoke" button as object action next to the "History" button.
  Python API
  * Add the [Python API]( as a fully supported interface to **django-ca**.
  * New module [django_ca.extensions]( to allow easy and consistent handling of X509 extensions.
  * Fully document various member attributes of [CertificateAuthority]( and [Certificate](, as well [Subject]( and as all new Python code.
  * The parameters for functions in [CertificateManager]( and [CertificateAuthorityManager]( were cleaned up for consistent naming and so that a user no longer needs to use classes from the cryptography libary. Parameters are now optional if default settings exist.
  * Variable names have been renamed to be more consistent to make the code more readable.
  * Also test with Python 3.7.0.
  * Add configuration for [tox](
  * Speed up test-suite by using [force_login()]( and [PASSWORD_HASHERS](
  * Load keys and certs in for every testcase instead for every class, improving testcase isolation.
  * Add two certificates that include all and no extensions at all respectively to be able to test edge cases more consistently and thoroughly.
  * Add function `cmd_e2e` to call `` scripts in a way that arguments are passed by argparse as if they where called from the command-line. This allows more complete testing including parsing commandline arguments.
  * Error on any warnings coming from django-ca when running the test-suite.

1.9.0 not secure

* Allow the creation of Certificates with multiple OUs in their subject (command-line only).
  * Fix issues with handling CAs with a password on the command-line.
  * Fix handling of certificates with no CommonName and/or no x509 extensions.
  * Add support for displaying Signed Certificate Timestamps (SCT) Lists, as described in [RFC 6962, section 3.3](
  * Add limited support for displaying Certificate Policies, as described in [RFC 5280, section 4.2.14]( and [RFC 3647](
  * Correctly display extensions with an OID unknown to django-ca or even cryptography.
  * Properly escape x509 extensions to prevent any injection attacks.
  * Django 2.1 is now fully supported.
  * Fix example command to generate a CSR (had a stray '/').
  * Run test-suite with template debugging enabled to catch silently skipped template errors.
  * Base the Docker image on `python:3-alpine` (instead of `python:3`), yielding a much smaller image (~965MB -> ~235MB).
  * Run complete test-suite in a separate build stage when building the image.
  * Provide `uwsgi.ini` for fast deployments with the uwsgi protocol.
  * Add support for passing additional parameters to uWSGI using the `DJANGO_CA_UWSGI_PARAMS` environment variable.
  * Create user/group with a predefined uid/gid of 9000 to allow better sharing of containers.
  * Add `/usr/share/django-ca/` as named volume, allowing a setup where an external webserver serves static files.
  * Add documentation on how to run the container in combination with an external webserver.
  * Add documentation on how to run the container as a different uid/gid.


NOTE: This version was actually released on 2018-07-08, but the GitHub release was omitted.
  * Add [Django signals]( to important events to let users add custom actions (such as email notifications etc.) to those events (fixes 39).
  * Provide a Docker container for fast deployment of django-ca.
  * Add the `CA_CUSTOM_APPS` setting to let users that use django-ca as a standalone project add custom apps, e.g. to register signals.
  * Make the otherName extension actually usable and tested (see 47)
  * Add the `smartcardLogon` and `msKDC` extended key usage types. They are needed for some AD and OpenLDAP improvements (see 46)
  * Improve compatibility with newer `idna` versions (".com" now also throws an error).
  * Drop support for Django 1.8 and Django 1.10.
  * Improve support for yet-to-be-released Django 2.1.
  * Fix admin view of certificates with no subjectAltName.

1.7.0 not secure

* Django 2.0 is now fully supported. This release still supports Django 1.8, 1.10 and 1.11.
  * Add support for the [tlsFeature extension](
  * Do sanity checks on the "pathlen" attribute when creating Certificate Authorities.
  * Add sanity checks when creating CAs:
  * When creating an intermediate CA, check the `pathlen` attribute of the parent CA to make sure that the resulting CA is not invalid.
  * Refuse to add a CRL or OCSP service to root CAs. These attributes are not meaningful there.
  * Massively update [documentation for the command-line interface](
  * CAs can now be identified using name or serial (previously: only by serial) in `CA_OCSP_URL`.
  * Make `fab init_demo` a lot more useful by signing certificates with the client CA and include CRL
  and OCSP links.
  * Run `fab init_demo` and documentation generation through Travis-CI.
  * Always display all extensions in the django admin interface.
  * NameConstraints are now delimited using a `,` instead of a `;`, for consistency with other
  parameters and so no bash special character is used.
  * Check for permissions when downloading certificates from the admin interface. Previously, users without admin interface access but without permissions to access certificates, where able to guess the URL and download public keys.
  * Add a missing migration.
  * Fix the value of the crlDistributionPoints x509 extension when signing certificates with Python2.
  * The `Content-Type` header of CRL responses now defaults to the correct value regardless of type (DER or PEM) used.
  * If a wrong CA is specified in `CA_OCSP_URLS`, an OCSP internal error is returned instead of an uncought exception.
  * Fix some edge cases for serial conversion in Python2. Some serials where converted with an "L" prefix in Python 2, because `hex(0L)` returns `"0x0L"`.

1.6.3 not secure

* Fix various operations when `USE_TZ` is `True`.
  * CA keys are no longer stored with colons in their filename, fixing `init_ca` under Windows.
  * Email addresses are now independently validated by `validate_email`. cryptography 2.1 no longer
  validates email addresses itself.
  * Require `cryptography>=2.1`. Older versions should not be broken, but the output changes
  breaking doctests, meaning they're no longer tested either.

1.6.2 not secure

* No longer require a strict cryptography version but only `>=1.8`. The previously pinned version is incompatible with Python 3.5.
  * Update requirements files to newest versions.
  * Update imports to `django.urls.reverse` so they are compatible with Django 2.0 and 1.8.
  * Make sure that ` check` exit status is not ignored for ` code_quality`.
  * Conform to new sorting restrictions for `isort`.

1.6.1 not secure

* Fix signing of wildcard certificates (thanks [RedNixon](
  * Add new management commands `import_ca` and `import_cert` so users can import existing CAs and certificates (23).

1.6.0 not secure

New features and improvements
  * Support CSRs in DER format when signing a certificate via ` sign_cert`.
  * Support encrypting private keys of CAs with a password.
  * Support Django 1.11.
  * Allow creating CRLs of disabled CAs via ` dump_crl`.
  * Validate DNSNames when parsing general names. This means that signing a certificate with CommonName that is not a valid domain name fails if it should also be added as subjectAltName (see `--cn-in-san` option).
  * When configuring `django_ca.views.OCSPView`, the responder key and certificate are verified during configuration. An erroneous configuration thus throws an error on startup, not during runtime.
  * The testsuite now tests certificate signatures itself via `pyOpenSSL`,  so an independent library is used for verification.
  * Fix the `authorityKeyIdentifier` extension when signing certificates with an intermediate CA.
  * Fix creation of intermediate CAs.

1.5.1 not secure

* Increase minimum field length of serial and common name fields.
  * Tests now call full_clean() for created models. SQLite (which is used for testing) does not enforce the
  `max_length` parameter.

1.5.0 not secure

- Completely remove pyOpenSSL and consistently use [cryptography](
  - Due to the transitition to cryptography, some features have been removed:
  - The `tlsfeature` extension is no longer supported. It will be again once cryptography adds support.
  - The `msCodeInd`, `msCodeCom`, `msCTLSign`, `msEFS` values for the ExtendedKeyUsage extension are
  no longer supported. Support for these was largely academic anyway, so they most likely will not be added
  - `TEXT` is no longer a supported output format for dumping certificates.
  - The `keyUsage` extension is now marked as critical for certificate authorities.
  - Add the `privilegeWithdrawn` and `aACompromise` attributes for revocation lists.

1.4.1 not secure

- Update requirements.
  - Use [Travis CI]( for continuous integration. **django-ca** is now tested
  with Python 2.7, 3.4, 3.5, 3.6 and nightly, using Django 1.8, 1.9 and 1.10.
  - Fix a few test errors for Django 1.8.
  - Examples now consistently use 4096 bit certificates.
  - Some functionality is now migrated to `cryptography` in the ongoing process to deprecate
  pyOpenSSL (which is no longer maintained).
  - OCSPView now supports directly passing the public key as bytes. As a consequence, a bad
  certificate is now only detected at runtime.

1.4.0 not secure

- Make sure that Child CAs never expire after their parents. If the user specifies an expiry after that of the parent, it is silently changed to the parents expiry.
  - Make sure that certificates never expire after their CAs. If the user specifies an expiry after that of the parent, throw an error.
  - Rename the `--days` parameter of the `sign_cert` command to `--expires` to match what we use for `init_ca`.
  - Improve help-output of `--init-ca` and `--sign-cert` by further grouping arguments into argument groups.
  - Add ability to add CRL-, OCSP- and Issuer-URLs when creating CAs using the `--ca-*` options.
  - Add support for the `nameConstraints` X509 extension when creating CAs. The option to the `init_ca` command is `--name-constraint` and can be given multiple times to indicate multiple constraints.
  - Add support for the `tlsfeature` extension, a.k.a. "TLS Must Staple". Since OpenSSL 1.1 is required for this extension, support is currently totally untested.

1.3.0 not secure

- Add links for downloading the certificate in PEM/ASN format in the admin interface.
  - Add an extra chapter in documentation on how to create intermediate CAs.
  - Correctly set the issuer field when generating intermediate CAs.
  - `fab init_demo` now actually creates an intermediate CA.
  - Fix help text for the `--parent` parameter for`` init_ca`

1.2.0 not secure

- django-ca now provides a complete OCSP responder.
  - Various tests are now run with a pre-computed CA, making tests much faster and output more predictable.
  - Update lots of documentation.

1.1.0 not secure

- The subject given in the ` init_ca` and ` sign_cert` is now given in the
  same form that is frequently used by OpenSSL, "/C=AT/L=...".
  - On the command line, both CAs and certificates can now be named either by their CommonName or
  with their serial. The serial can be given with only the first few letters as long as it's
  unique, as it is matched as long as the serial starts with the given serial.
  - Expiry time of CRLs can now be specified in seconds. ` dump_crl` now uses the
  `--expires` instead of the old `--days` parameter.
  - The admin interface now accounts for cases where some or all CAs are not useable because the
  private key is not accessable. Such a scenario might occur if the private keys are hosted on a
  different machine.
  - The app now provides a generic view to generate CRLs. See [Use generic view to host a CRL]( for more information.
  - Fix the display of the default value of the --ca args.
  - Move this ChangeLog from a top-level .md file [here](
  - Fix shell example when issueing certificates.