Django-ca

WARNING docker-compose users

* Update from 1.18 or earlier? See [the update notes](https://django-ca.readthedocs.io/en/1.21.0/update.html#update-119) or you might loose private keys!
* Update from 1.20 or earlier? See [the update notes](https://django-ca.readthedocs.io/en/1.21.0/update.html#update-121-docker-compose) to switch to named volumes.

Updates

* Add support for cryptography 37.0 and Alpine Linux 3.16.
* Fix issuing certificates with multiple SubjectAlternativeNames (fixes 86).
* Fix overriding the default certificate expiry in profiles (fixes 87).
* Dependencies for ACMEv2 are now non-optional and the `acme` extra is now empty (and will be removed in `django-ca==1.23.0`).
* Implement certificate revocation via ACMEv2.
* The [CA_DEFAULT_SUBJECT](https://django-ca.readthedocs.io/en/1.21.0/settings.html#settings-ca-default-subject) setting should now be a tuple, not a dict. Support for using a `dict` will be removed in `django-ca==1.23.0`.
* Add deployment checks (and document them in the quickstart guides) for configurations that don't use a shared cache subsystem (see also: 85).
* Fix generation of the `SECRET_KEY` setting when using docker and docker-compose.
* Document supported environment variables and improve general settings configuration in [Settings](https://django-ca.readthedocs.io/en/1.21.0/settings.html).
* Switch to named volumes in the docker-compose setup. Please see [Update from 1.20.0 or earlier](https://django-ca.readthedocs.io/en/1.21.0/update.html#update-121) for update instructions.
* Stop testing individual versions of [idna](https://pypi.org/project/idna/). django-ca uses a minimal subset of basic functions that are unlikely to break.

Backwards incompatible changes

* Drop support for Django 2.2.
* Drop support for cryptography 3.3 and 3.4.
* Drop support for Alpine 3.12 and 3.13.

Deprecation notices

* The `acme` extra will be removed in `django-ca==1.23.0`.
* Support for using a dict for the `CA_DEFAULT_SUBJECT` setting will be removed in `django-ca==1.23.0`.
* This is the last release to support cryptography 35.0.
* This is the last release to support Celery 5.0 (5.1+ is of course still supported).
* This is the last release to support acme 1.23, 1.24, 1.25 and 1.26.

**WARNING docker-compose users:** Update from 1.18 or earlier? See [the update notes](https://django-ca.readthedocs.io/en/stable/update.html#update-119) or you might loose private keys!

* Parsing and formatting of names now correctly escapes or quotes special characters.
* `django_ca.utils.shlex_split()` was renamed to `django_ca.utils.split_str`. The old name will be removed in `django_ca==1.22`.
* Require a CommonName when generating a CA instead of implicitly setting the human-readable name if no CommonName was given.
* Add support for cryptography 36.0.0.
* Add support for Alpine 3.15.
* Make log level and message format more easily configurable with [LOG_LEVEL](https://django-ca.readthedocs.io/en/stable/settings.html#settings-log-level), [LIBRARY_LOG_LEVEL](https://django-ca.readthedocs.io/en/stable/settings.html#settings-library-log-level) and [LOG_FORMAT](https://django-ca.readthedocs.io/en/stable/settings.html#settings-log-format).
* Drop `pytz` as dependency (and use `datetime.timezone` directly).
* Add mdlDS and mdlJWS X509 extensions for support [mobile Driver Licence](https://en.wikipedia.org/wiki/Mobile_driver%27s_license).
* Reworked [installation instructions](https://django-ca.readthedocs.io/en/stable/install.html) to link to a set of quickstart guides dedicated to each installation option.
* Add `--bundle` option to `manage.py sign_cert` to allow writing the whole certificate bundle.

ACMEv2 support
==============

ACMEv2 support will be included and enabled by default starting with ``django-ca==1.22``. You will still have
to enable the ACMEv2 interface for each CA that should provide one. The documentation has been updated to
assume that you want enable ACMEv2 support.

* Add support for updating an accounts email address.
* Add support for deactivating ACME accounts.
* Fix issuing certificates if `settings.USE_TZ=True` (fixes 82).
* Fix issuing certificates for root CAs (fixes 83).

Docker and docker-compose
=========================

* Update Docker image to be based on Alpine 3.15.
* Do not expose ports of internal daemons when using docker-compose.

Backwards incompatible changes
==============================

* Drop support for Python 3.6.
* Drop support for Django 3.1.
* Drop support for idna 2.8, 3.0 and 3.1.
* Removed the `manage.py dump_ocsp_index` command.
* Remove the `--csr-format` parameter to `manage.py sign_cert` (deprecated since 1.18.0).
* `django_ca.utils.parse_csr()` has been removed (deprecated since 1.18.0).


Deprecation notices
===================

* This is the last release to support Django 2.2.
* This is the last release to support cryptography 3.3 and 3.4.
* This is the last release to support Alpine 3.12 and 3.13

* Fix "missing" migration in when using django-ca as a standalone app (fixes 79).
* Add support for cryptography 36.0 and Django 4.0.

**WARNING:** docker-compose users: See [the update notes](https://django-ca.readthedocs.io/en/stable/update.html#update-119) or you might loose private keys!

* Implement DNS-01 validation for ACMEv2. Note that ACMEv2 support is still experimental and disabled by default.
* Support rendering distinguished names with any NameOID known to cryptography.
* Support creating certificates with a subject containing a `dnQualifier`, `PC`, `DC`, `title`, `uid` and `serialNumber`.
* Only fetch expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.
* Ensure that a certificates `issuer` always matches the `subject` from the CA that signed it.
* Fix `manage.py regenerate_ocsp_key` with celery enabled.
* Fix parsing of ASN.1 OtherNames from the command line. Previously, `UTF8` strings where not DER encoded.
* Fix ACMEv2 paths in NGINX configuration included in Docker images.
* Include a healthcheck script for uWSGI in the Docker image. Because the image is also shared for the Celery worker, it is not enabled by default, but the docker-compose configuration enables it.
* Add support for creating certificates with Boolean, Null, Integer, UniversalString, IA5String, GeneralizedTime and UTCTime values in the format described in [ASN1_GENERATE_NCONF(3SSL)](https://manpages.debian.org/ASN1_GENERATE_NCONF.3SSL).
* Preliminary support for OpenSSH CAs via `EdDSA` keys.
* The Docker image is now based on `python:3.10-alpine3.14`.
* Add support for Python 3.10.
* Add support for cryptography 35.0.0.
* Add support for idna 3.0, 3.1 and 3.2.

Backwards incompatible changes

* Drop support for cryptography 3.0, 3.1 and 3.2.
* Remove support for configuring absolute paths for manually configured [django_ca.views.OCSPView](https://django-ca.readthedocs.io/en/stable/python/views.html#django_ca.views.OCSPView). This functionality was officially supposed to be removed in django-ca 1.14.0.

Minor non-functional changes

* The whole source code is now type hinted.
* Consistently use f-strings for faster string formatting.
* Documentation is now always generated in nitpicky mode and with warnings turned into errors.
* Remove the now redundant `html-check` target for documentation generation.

Deprecation notices

* This is the last release to support Python 3.6.
* This is the last release to support Django 3.1.
* This is the last release to support `idna<=3.1`.
* The `issuer_name` field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.

* Add support for Django 3.2.
* Prevent auto-completion of the CA password field in the admin interface.
* Improve CSR validation when using the admin interface.
* Check permissions when resigning certificates.
* Require the ``change certificate`` permission when revoking certificates.
* Preselect profile of original certificate when resigning certificates.
* Make sure that operators for OrderedSetExtension always return an instance of the implementing class, not of the base class.
* Certificate bundles now always end with a newline, as normal bundles do.
* Add setuptools extras for ``mysql`` and ``postgres``.
* Add MySQL support for the Docker image.

Backwards incompatible changes
==============================

* Don't load configuration from ``localsettings.py`` (deprecated since ``1.15.0``).
* The ``x509`` property and ``dump_certificate()`` where removed from [CertificateAuthority](https://django-ca.readthedocs.io/en/1.18.0/python/models.html#certificateauthority) and [Certificate](https://django-ca.readthedocs.io/en/1.18.0/python/models.html#certificate):
* To access a string-encoded PEM use ``obj.pub.pem`` (was: ``obj.x509``).
* To update an instance with a certificate use [update_certificate](https://django-ca.readthedocs.io/en/1.18.0/python/models.html#django_ca.models.X509CertMixin.update_certificate) (was: ``obj.x509 = ...``).
* Use ``obj.pub.pem`` or ``obj.pub.der`` to get an encoded certificate (was: ``obj.dump_certificate()``).
* Drop support for Django 3.0.
* Drop support for cryptography 2.8 and 2.9.
* Drop support for Celery 4.3 and 4.4.
* Drop support for idna 2.9.

Python API
==========

* Store certificates and CSRs as bytes to improve access speed.

Linting and continuous integration
==================================

* Use [GitHub Actions](https://github.com/features/actions) instead of Travis.
* Use `pyproject.toml` for all tools that support it.
* Code is now formatted with [black](https://github.com/psf/black).
* Code is now linted using [pylint](https://www.pylint.org/).
* Code is now fully type-hinted and type safe according to [mypy](https://mypy.readthedocs.io/). This
requires the upcoming release of cryptography (current: 3.4).
* Documentation is now cleaned with [doc8](https://github.com/PyCQA/doc8).
* Documentation is now spell-checked using [sphinxcontrib.spelling](https://sphinxcontrib-spelling.readthedocs.io/en/latest/index.html).

Deprecation notices
===================

* This is the last release to support cryptography 3.0, 3.1 and 3.2.
* Passing a ``str`` or ``bytes`` to [CertificateManager.objects.create_cert()](https://django-ca.readthedocs.io/en/1.18.0/python/models.html#django_ca.managers.CertificateManager.create_cert) will be removed in django-ca 1.20.0.
* Passing a ``str`` as an algorithm in [CertificateAuthority.get_crl()](https://django-ca.readthedocs.io/en/1.18.0/python/models.html#django_ca.models.CertificateAuthority.get_crl), [django_ca.profiles.Profile.create_cert()](https://django-ca.readthedocs.io/en/1.18.0/python/profiles.html#django_ca.profiles.Profile.create_cert) is deprecated and will no longer work in django-ca 1.20.0. Pass a [HashAlgorithm](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.HashAlgorithm) instance instead.
* [django_ca.utils.parse_csr()](https://django-ca.readthedocs.io/en/1.18.0/python/utils.html#django_ca.utils.parse_csr) is no longer useful and will be removed in django-ca 1.20.0.
* Creating an index for running an OCSP responder with [openssl-ocsp(1SSL)](https://manpages.debian.org/openssl-ocsp(1SSL)) is deprecated and will be removed in django-ca 1.20.0. The man page explicitly states it "is only useful for test and demonstration purposes", and we can solidly run our own responders by now.

* Use Alpine 3.13 and Python 3.9 in the Docker image.
* Include templates in installations via pip (fixes 72).