WARNING
1. **docker compose users:** Update from 1.20 or earlier? See [the update notes](https://django-ca.readthedocs.io/en/1.22.0/update.html#update-121-docker-compose) to switch to named volumes.
2. **Django app or source users:** Changes in cryptography 38 make it incompatible with common versions of certbot. See [Warning: cryptography 38](https://django-ca.readthedocs.io/en/1.22.0/quickstart_as_app.html#cryptography-38-warning).
Changes
* Add support for Python 3.11, Alpine 3.17, Django 4.1, cryptography 38.0 and acme 2.0.
* Support for MD5 and SHA1 hashes is removed, as they are no longer supported in upcoming releases of cryptography.
* New signals [pre_sign_cert](https://django-ca.readthedocs.io/en/1.22.0/signals.html#django_ca.signals.pre_sign_cert) and [post_sign_cert](https://django-ca.readthedocs.io/en/1.22.0/signals.html#django_ca.signals.post_sign_cert) that receive the values as passed to the cryptography library.
* Add the ability to force inclusion/exclusion of the IssuingDistributionPoint extension in CRLs.
* Ensure that CRLs are regenerated periodically before the cache expires.
* Switch to the Djangos `built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>`_ in the docker compose setup.
Admin interface
* Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.
**Limitations:**
* The CRL Distribution Points and Freshest CRL extensions can only modify the first distribution point. If the selected profile defines more then one distribution point, they are added after the one from the admin interface.
* The Certificate Policies extension cannot yet be modified. If the selected profile defines this extension, it is still added to the certificate.
* Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.
* Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.
* Because the the user can now modify the extensions directly, the `add_*` directives for a profile now have no effect when issuing a certificate through the admin interface.
ACMEv2 support
* Handle clients that do not send the `termsOfService` field during registration.
* Improve error handling when the CSR cannot be parsed.
* An ACME account is now considered usable if it never agreed to the terms of service *and* the certificate authority does not define any terms of service. Certain versions of certbot (at least version 1.31.0) never ask the user to agree to the terms of service if there are none to agree to.
* Allow clients to agree to the terms of service when updating the account.
Minor changes
* The Docker image is now based on `python:3.11-alpine3.17`.
* Access Descriptions in the Authority Information Access extension will now always order OCSP URLs before CA Issuers, inverting the previous behavior. The order of values does not matter in practice.
Backwards incompatible changes
* The docker-compose setup requires at least docker-compose 1.27.0.
* The docker-compose setup now uses Redis 7.
* Drop support for cryptography 35.0.
* Drop support for acme 1.23, 1.24, 1.25 and 1.26.
* Drop support for Celery 5.0.
* Require django-object-actions 4.0 or higher.
* Remove the `--ca-crl` parameter in `manage.py dump_crl` (this was a left over and has been marked as deprecated since 1.12.0).
* Drop `django-redis-cache` from the `redis` extra, as the project is abandoned. Please switch to the [built in redis cache]( https://docs.djangoproject.com/en/4.1/topics/cache/#redis) instead. If you still use Django 3.2, please manually install the backend.
* `ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION` was removed, use the identical `ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC` instead.
Deprecation notices
* This is the last release to support for Python 3.7.
* This is the last release to support Django 4.0.
* This is the last release to support cryptography 36.0.
* This is the last release to support acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.
* This is the last release to support Alpine 3.14 and 3.15.
* The `acme` extra will be removed in in the next release.
* The `pre_issue_cert` is deprecated and will be removed in `django_ca==1.24.0`. Use the new [pre_sign_cert](https://django-ca.readthedocs.io/en/1.22.0/signals.html#django_ca.signals.pre_sign_cert) signal instead.
* The subject wrapper class `django_ca.subject.Subject` is deprecated and will be removed in `django-ca==1.24.0`.
* Extension wrapper classes in `django_ca.extensions` are deprecated and will be removed in `django_ca==1.24.0`.