Django-ca

NOTE: This version was actually released on 2018-07-08, but the GitHub release was omitted.

* Add [Django signals](https://django-ca.readthedocs.io/en/latest/signals.html) to important events to let users add custom actions (such as email notifications etc.) to those events (fixes #39).
* Provide a Docker container for fast deployment of django-ca.
* Add the `CA_CUSTOM_APPS` setting to let users that use django-ca as a standalone project add custom apps, e.g. to register signals.
* Make the otherName extension actually usable and tested (see 47)
* Add the `smartcardLogon` and `msKDC` extended key usage types. They are needed for some AD and OpenLDAP improvements (see 46)
* Improve compatibility with newer `idna` versions (".com" now also throws an error).
* Drop support for Django 1.8 and Django 1.10.
* Improve support for yet-to-be-released Django 2.1.
* Fix admin view of certificates with no subjectAltName.

* Django 2.0 is now fully supported. This release still supports Django 1.8, 1.10 and 1.11.
* Add support for the [tlsFeature extension](http://django-ca.readthedocs.io/en/latest/extensions.html#tlsfeature).
* Do sanity checks on the "pathlen" attribute when creating Certificate Authorities.
* Add sanity checks when creating CAs:
* When creating an intermediate CA, check the `pathlen` attribute of the parent CA to make sure that the resulting CA is not invalid.
* Refuse to add a CRL or OCSP service to root CAs. These attributes are not meaningful there.
* Massively update [documentation for the command-line interface](http://django-ca.readthedocs.io/en/latest/cli/intro.html).
* CAs can now be identified using name or serial (previously: only by serial) in `CA_OCSP_URL`.
* Make `fab init_demo` a lot more useful by signing certificates with the client CA and include CRL
and OCSP links.
* Run `fab init_demo` and documentation generation through Travis-CI.
* Always display all extensions in the django admin interface.
* NameConstraints are now delimited using a `,` instead of a `;`, for consistency with other
parameters and so no bash special character is used.

Bugfixes

* Check for permissions when downloading certificates from the admin interface. Previously, users without admin interface access but without permissions to access certificates, where able to guess the URL and download public keys.
* Add a missing migration.
* Fix the value of the crlDistributionPoints x509 extension when signing certificates with Python2.
* The `Content-Type` header of CRL responses now defaults to the correct value regardless of type (DER or PEM) used.
* If a wrong CA is specified in `CA_OCSP_URLS`, an OCSP internal error is returned instead of an uncought exception.
* Fix some edge cases for serial conversion in Python2. Some serials where converted with an "L" prefix in Python 2, because `hex(0L)` returns `"0x0L"`.

* Fix various operations when `USE_TZ` is `True`.
* CA keys are no longer stored with colons in their filename, fixing `init_ca` under Windows.
* Email addresses are now independently validated by `validate_email`. cryptography 2.1 no longer
validates email addresses itself.
* Require `cryptography>=2.1`. Older versions should not be broken, but the output changes
breaking doctests, meaning they're no longer tested either.

* No longer require a strict cryptography version but only `>=1.8`. The previously pinned version is incompatible with Python 3.5.
* Update requirements files to newest versions.
* Update imports to `django.urls.reverse` so they are compatible with Django 2.0 and 1.8.
* Make sure that `manage.py check` exit status is not ignored for `setup.py code_quality`.
* Conform to new sorting restrictions for `isort`.

* Fix signing of wildcard certificates (thanks [RedNixon](https://github.com/mathiasertl/django-ca/pull/25)).
* Add new management commands `import_ca` and `import_cert` so users can import existing CAs and certificates (23).

New features and improvements


* Support CSRs in DER format when signing a certificate via `manage.py sign_cert`.
* Support encrypting private keys of CAs with a password.
* Support Django 1.11.
* Allow creating CRLs of disabled CAs via `manage.py dump_crl`.
* Validate DNSNames when parsing general names. This means that signing a certificate with CommonName that is not a valid domain name fails if it should also be added as subjectAltName (see `--cn-in-san` option).
* When configuring `django_ca.views.OCSPView`, the responder key and certificate are verified during configuration. An erroneous configuration thus throws an error on startup, not during runtime.
* The testsuite now tests certificate signatures itself via `pyOpenSSL`, so an independent library is used for verification.

Bugfixes

* Fix the `authorityKeyIdentifier` extension when signing certificates with an intermediate CA.
* Fix creation of intermediate CAs.