3.0.0 (2026-04-05)

Please see the official ChangeLog for release notes.

2.5.0 (2025-12-31)

Please see the official ChangeLog for release notes.

2.4.0 (2025-09-28)

Please see the official ChangeLog for release notes.

2.3.0 (2025-07-13)

Please see the official ChangeLog for release notes.

2.2.1 (2025-03-02)

• Python API: When signing certificates via a profile, the caller may pass unrecognized
  extensions via the allow_unrecognized_extensions flag.

2.2.0 (2025-02-15)

NOTE: This release is ahead of schedule due to customer requirements in downstream plugins.

• Key backends now support signing arbitrary data. This functionality is not used by django-ca itself, but may be used by plugins.
• Optimize number of database queries in performance-sensitive views (OCSP, CRLs, ACMEv2).
• Fix error for OCSP queries for intermediate CAs.
• Add support for storing/importing Ed25519 and Ed448 keys into HSMs.

Command-line utilities

• Drop support for old OpenSSL-style subject formats in manage.py init_ca, manage.py sign_cert and manage.py resign_cert (default switched in 2.0.0, deprecated since 1.27.0). Use RFC 4514 subjects instead.

Settings

• Dropped support for the old subject format in CA_DEFAULT_SUBJECT and subjects in profiles (deprecated since 1.29.0).
• Project-level configuration now allows you to append to the projects URL configuration via EXTEND_URL_PATTERNS and EXTEND_INSTALLED_APPS. The latter replaces CA_CUSTOM_APPS, which is deprecated and will be removed in django-ca==2.5.0.

Dependencies

• Add support for acme~=3.1.0 and acme~=3.2.0.
• BACKWARDS INCOMPATIBLE: Dropped support for django~=5.0.0, cryptography~=43.0, acme~=2.11.0 and pydantic~=2.9.0.
• BACKWARDS INCOMPATIBLE: Dropped support for Alpine 3.18.

Python API

• django_ca.utils.get_storage() was removed (deprecated since 2.0).
• Key backends now expose sign_data() to sign arbitrary data.

Deprecation notices

• CA_CUSTOM_APPS, a project-level configuration variable, is deprecated and will be removed in django-ca==2.5.0.
• This will be the last release to support Debian 11 (Bullseye) and Alpine 3.19.
• This will be the last release to support josepy~=1.15.0, acme~=3.0.0 and acme~=3.1.0.
• django_ca.extensions.parse_extension() is deprecated and will be removed in django-ca==2.3.0. Use Pydantic models instead.
• Functions related to the old OpenSSL style subject format are deprecated and will be removed in django_ca==2.3.0:
  • django_ca.utils.parse_name_x509()
  • django_ca.utils.parse_serialized_name_attributes()
  • django_ca.utils.serialize_name()
  • django_ca.utils.split_str()
  • django_ca.utils.x509_name()

2.1.1 (2025-01-05)

• Security: No longer allow clients to update other accounts.
• Fix celery startup script so that the directory containing the secret key is created correctly.

2.1.0 (2024-12-26)

Docker image

• The main Docker image is now based off Debian instead of Alpine. The Alpine image is still provided with the -alpine suffix (e.g. mathiasertl/django-ca:2.1.0-alpine).
• Include the hsm and mysql extras in the image.
• The Alpine image is now based on Alpine 3.21.

Certificate Revocation Lists

• Certificate Revocation Lists (CRLs) are now stored in the database via the CertificateRevocationList model. This makes CRLs more robust, as clearing the cache will no longer cause an error.

OCSP responder keys

• Private keys for OCSP responders are now stored using configurable backends, just like private keys for certificate authorities. See OCSP key backends for more information.
• Add a HSM OCSP key backend to allow storing OCSP keys in a HSM (Hardware Security Module).
• Add a Database OCSP key backend to allow storing OCSP keys in the database.

Key backends

• Add a Database backend to allow storing private keys in the database. This backend makes the private key accessible to any frontend-facing web server and is thus less secure then other backends, but is an option if your environment has no file system available.
• Remove the get_ocsp_key_size() and get_ocsp_key_elliptic_curve() from the core key backend interface, as they are now handled by OCSP key backends

Command-line utilities

• Add the -only-some-reasonsparameter to manage.py dump_crl.
• The --scope parameter to manage.py dump_crl is deprecated and will be removed in django-ca 2.3.0. Use --only-contains-ca-certs, --only-contains-user-certs or --only-contains-attribute-certs instead.
• BACKWARDS INCOMPATIBLE: The --algorithm parameter to manage.py dump_crl no longer has any effect and will be removed in django-ca 2.3.0.

REST API

• When requesting a new certificate, validate the submitted CSR before relaying the order to the backend (fixes #15).
• Support for the Admissions extension when cryptography>=44 is used.

Settings

• The encodings parameter to CA_CRL_PROFILES was removed. Both encodings are now always available.
• The scope parameter to CA_CRL_PROFILES is now deprecated in favor of the only_contains_ca_certs, only_contains_user_certs and only_some_reasons parameters. The old parameter currently still takes precedence, but will be removed in django-ca 2.3.0.

Dependencies

• Add support for Python 3.13, cryptography~=44.0, pydantic~=2.10.0 and acme~=3.0.0.
• BACKWARDS INCOMPATIBLE: Dropped support for pydantic~=2.7.0, pydantic~=2.8.0, cryptography~=42.0 and acme~=2.10.0.

Python API

• Functions that create a certificate now take a not_after parameter, replacing expires. The expires parameter is deprecated and will be removed in django-ca 2.3.0. The following functions are affected:

  • django_ca.models.CertificateAuthority.sign()
  • django_ca.models.CertificateAuthority.generate_ocsp_key()
  • django_ca.managers.CertificateAuthorityManager.init()
  • django_ca.managers.CertificateManager.create_cert()
  • django_ca.profiles.Profile.create_cert()

• get_crl_cache_key() added the only_contains_ca_certs, only_contains_user_certs, only_contains_attribute_certs and only_some_reasons arguments.

• BACKWARDS INCOMPATIBLE: The scope argument for get_crl_cache_key() was removed. Use the parameters described above instead.

Database models

• Rename the valid_from to not_before and expires to not_after to align with the terminology used in RFC 5280. The previous read-only property was removed.
• Add the CertificateRevocationList model to store generated CRLs.
• django_ca.models.CertificateAuthority.get_crl_certs() and django_ca.models.CertificateAuthority.get_crl() are deprecated and will be removed in django-ca 2.3.0.
• BACKWARDS INCOMPATIBLE: The algorithm, counter, full_name, relative_name and include_issuing_distribution_point parameters for django_ca.models.CertificateAuthority.get_crl() no longer have any effect.

Views

• The CertificateRevocationListView has numerous updates:

  • BACKWARDS INCOMPATIBLE: The password parameter was removed. Use the CA_PASSWORDS setting instead (deprecated since django-ca 1.29.0).
  • The expires parameter now has a default of 86400 (from 600) to align with defaults elsewhere.
  • The scope parameter is deprecated and will be removed in django-ca 2.3.0. Use only_contains_ca_certs and only_contains_user_certs instead.
  • The include_issuing_distribution_point no longer has any effect and will be removed in django-ca 2.3.0.

Deprecation notices

Please also see the deprecation timeline for previous deprecation notices.

• This will be the last release to support django~=5.0.0, cryptography~=43.0, pydantic~=2.9.0 and acme~=2.9.0.
• This will be the last release to support Ubuntu 20.04 and Alpine 3.18.
• Support for Python 3.9 and django~=4.2.0 will be dropped in django-ca==2.3.0.

2.0.0 (2024-09-29)

General

• Add (preliminary) support for storing private keys in a hardware security module (HSM). See Key backends for more information.

Command-line utilities

• Subjects are now parsed in the RFC 4514 format by default. Subjects in the OpenSSL-style format are still supported via the --subject-format=openssl option, but support for it will be removed in 2.0.0.
• Removed the convert_timestamps command (deprecated since 1.28.0).

Dependencies

• Add support for Django~=5.1.0, cryptography~=43.0 and pydantic~=2.8.0 and pydantic~=2.9.0.
• BACKWARDS INCOMPATIBLE: Dropped support for pydantic<2.7.0, acme~=2.9.0 and Celery~=5.3.0.
• Remove the psycopg3 pip extra, use the postgres extra instead.
• Drop support for Alpine 3.17.

Python API

• django_ca.utils.parse_encoding no longer accepts an already parsed Encoding.

• django_ca.utils.parse_expires() and django_ca.utils.parse_key_curve where removed.

• CertificateAuthorityManager.objects.init() no longer accepts int or timedelta for expires. Pass a timezone-aware object instead.

• django_ca.profiles.Profile no longer accepts unparsed extension values:

  • An int for expires - pass a timedelta instead.
  • A str or iterable of str-tuples for subject - pass a cryptography.x509.Name instead.
  • Deprecated extensions formats in extensions.

  Note that this does not affect configuration in settings, as these values are parsed before passed to this
  class.

• django_ca.profiles.Profile.create_cert no longer accepts int for expires. Pass a timedelta instead.

Docker/Docker Compose

• Update NGINX to 1.26.0.

Deprecation notices

• This will be the last release to support pydantic~=2.7.0, pydantic~=2.8.0, cryptography~=42.0
  and acme~=2.10.0.
• django_ca.utils.get_storage() will be removed in 2.2.0.

1.29.0 (2024-07-01)

See https://django-ca.readthedocs.io/en/latest/changelog/2024-07-01_1.29.0.html for changes.