pki.models.ca¶

Module that contains the CaModel.

Attributes¶

IssuingCaModel

Classes¶

CaModel

Generic CA Model representing any Certificate Authority.

Module Contents¶

class pki.models.ca.CaModel(*args, **kwargs)[source]¶

Bases: trustpoint.logger.LoggerMixin, util.db.CustomDeleteActionModel

Generic CA Model representing any Certificate Authority.

This unified model can represent two types of CAs: 1. Keyless CAs: CAs where we only have the certificate (no private key).

Used for trust anchors, upstream CAs, certificate chain validation.

Issuing CAs: CAs managed by Trustpoint that can issue certificates.

For keyless CAs: Only ‘certificate’ field is set, ‘credential’ is null, ca_type is KEYLESS. For issuing CAs: ‘credential’ and ‘ca_type’ are set, ‘certificate’ is null.

class CaTypeChoice(*args, **kwds)[source]¶

Bases: django.db.models.IntegerChoices

The CaTypeChoice defines the type of CA.

Depending on the type, different fields are required: - KEYLESS: Only certificate field is set (no private key) - LOCAL issuing types: credential field is set, certificate obtained locally - REMOTE issuing types: credential field is set, certificate requested remotely - REMOTE RA types: no credential/certificate, used for connection to external CAs as Registration Authority

KEYLESS[source]¶

AUTOGEN_ROOT[source]¶

AUTOGEN[source]¶

LOCAL_UNPROTECTED[source]¶

LOCAL_PKCS11[source]¶

REMOTE_EST_RA[source]¶

REMOTE_CMP_RA[source]¶

REMOTE_ISSUING_EST[source]¶

REMOTE_ISSUING_CMP[source]¶

unique_name[source]¶

parent_ca[source]¶

is_active[source]¶

created_at[source]¶

updated_at[source]¶

ca_type[source]¶

certificate[source]¶

credential: django.db.models.OneToOneField[pki.models.credential.CredentialModel | None][source]¶

chain_truststore[source]¶

remote_host[source]¶

remote_port[source]¶

remote_path[source]¶

onboarding_config[source]¶

no_onboarding_config[source]¶

class Meta[source]¶

Meta options for CaModel.

verbose_name[source]¶

verbose_name_plural[source]¶

db_table = 'pki_genericcamodel'[source]¶

ordering: ClassVar[list[str]] = ['unique_name'][source]¶

constraints: ClassVar[list[django.db.models.BaseConstraint]][source]¶

__str__()[source]¶

Returns a human-readable string that represents this CaModel entry.

Returns:: Human-readable string that represents this CaModel entry.
Return type:: str

__repr__()[source]¶

Returns a string representation of the CaModel instance.

Return type:: str

property is_issuing_ca: bool[source]¶

Returns True if this is an issuing CA (can issue certificates).

Return type:: bool

property is_keyless_ca: bool[source]¶

Returns True if this is a keyless CA (certificate only, no private key).

Return type:: bool

property common_name: str[source]¶

Returns common name.

Return type:: str

property subject_public_bytes: bytes[source]¶

Returns the subject public bytes from the CA certificate.

Return type:: bytes

property ca_certificate_model: pki.models.certificate.CertificateModel[source]¶

Returns the CA certificate model for both issuing and keyless CAs.

Return type:: pki.models.certificate.CertificateModel

get_certificate()[source]¶

Returns the CA certificate (crypto object) for both issuing and keyless CAs.

Return type:: cryptography.x509.Certificate

get_credential()[source]¶

Returns the credential for issuing CAs. Raises ValueError for keyless CAs.

Return type:: pki.models.credential.CredentialModel

get_ca_chain_from_truststore()[source]¶

Returns the CA chain from the associated chain_truststore.

This method validates that the chain_truststore contains certificates that correspond to CAs in the hierarchy path, and returns the CA objects in issuing CA to root order.

Returns:: List of CA models from issuing CA to root CA.
Return type:: list[CaModel]
Raises:: ValueError – If the chain_truststore is not properly configured or contains invalid certificates.

property last_crl_issued_at: datetime.datetime | None[source]¶

Returns when the last CRL was issued (from active CRL).

Returns:: The this_update time of the active CRL, or None if no CRL exists.
Return type:: datetime | None

property crl_number: int[source]¶

Returns the current CRL number (from active CRL).

Returns:: The CRL number of the active CRL, or 0 if no CRL exists.
Return type:: int

property crl_pem: str[source]¶

Returns the active CRL in PEM format.

Returns:: The CRL in PEM format, or empty string if no CRL exists.
Return type:: str

clean()[source]¶

Validates that exactly one of certificate or credential is set.

Return type:: None

_clean_remote_non_issuing_ca()[source]¶

Validates remote non-issuing CA fields.

Return type:: None

_clean_remote_issuing_ca()[source]¶

Validates remote issuing CA fields.

Return type:: None

_clean_local_or_keyless_ca()[source]¶

Validates local or keyless CA fields.

Return type:: None

save(*args, **kwargs)[source]¶

Override save to ensure validation.

Parameters:

args (Any)
kwargs (Any)

Return type:

None

classmethod create_keyless_ca(unique_name, certificate_obj, parent_ca=None)[source]¶

Creates a new keyless CA from a certificate.

Parameters:

unique_name (str) – The unique name that will be used to identify the CA.
certificate_obj (cryptography.x509.Certificate) – The CA certificate as cryptography x509.Certificate.
parent_ca (CaModel | None) – Optional parent CA in the hierarchy.

Returns:

The newly created keyless CA.

Return type:

CaModel

Raises:

ValidationError – If the certificate is not a valid CA certificate.

classmethod create_new_issuing_ca(credential_serializer, ca_type=None, unique_name=None, parent_ca=None)[source]¶

Creates a new Issuing CA model.

Parameters:

credential_serializer (trustpoint_core.serializer.CredentialSerializer) – The credential as CredentialSerializer instance. It will be normalized and validated, if it is a valid credential to be used as an Issuing CA.
ca_type (CaModel | None) – The CA type (must be an issuing type, not KEYLESS).
unique_name (str | None) – The unique name for the CA. If not provided, will be auto-generated from certificate common name.
parent_ca (CaModel | None) – Optional parent CA in the hierarchy.

Returns:

The newly created Issuing CA model.

Return type:

CaModel

Raises:

ValidationError – If the certificate is not a valid CA certificate.
ValueError – If the CA type is not supported

_issue_crl(crl_validity_hours=24)[source]¶

Issues a CRL with revoked certificates issued by this CA.

Only issuing CAs can issue CRLs (keyless CAs don’t have private keys).

Parameters:: crl_validity_hours (int) – Hours until the next CRL update (nextUpdate field). Defaults to 24.
Raises:: AttributeError – If called on a keyless CA.
Return type:: None

issue_crl(crl_validity_hours=24)[source]¶

Issues a CRL with revoked certificates issued by this CA.

Parameters:: crl_validity_hours (int) – Hours until the next CRL update (nextUpdate field). Defaults to 24.
Returns:: True if the CRL was successfully issued, False otherwise.
Return type:: bool

property signature_suite: trustpoint_core.oid.SignatureSuite[source]¶

The signature suite for the CA public key certificate.

Return type:: trustpoint_core.oid.SignatureSuite

property public_key_info: trustpoint_core.oid.PublicKeyInfo[source]¶

The public key info for the CA certificate’s public key.

Return type:: trustpoint_core.oid.PublicKeyInfo

get_issued_certificates()[source]¶

Returns certificates issued by this CA, except its own in case of a self-signed CA.

This goes through all active certificates and checks issuance by this CA based on cert.issuer_public_bytes == ca.subject_public_bytes.

Warning

This means that it may inadvertently return certificates that were issued by a different CA with the same subject name.

Returns:: Certificates issued by this CA.
Return type:: QuerySet

import_crl(crl_pem, *, set_active=True)[source]¶

Imports a CRL for this CA.

Parameters:

crl_pem (str) – The CRL in PEM format.
set_active (bool) – If True, this CRL becomes the active one for the CA.

Returns:

The created CRL model.

Return type:

CrlModel

Raises:

ValidationError – If the CRL is invalid or doesn’t match this CA.

get_active_crl()[source]¶

Returns the currently active CRL for this CA.

Returns:: The active CRL or None if no CRL exists.
Return type:: CrlModel | None

get_latest_crl()[source]¶

Returns the most recent CRL for this CA (by this_update).

Returns:: The latest CRL or None if no CRL exists.
Return type:: CrlModel | None

get_crl_as_crypto()[source]¶

Returns the active CRL as a cryptography CertificateRevocationList object.

Returns:: The CRL or None if no active CRL is available.
Return type:: x509.CertificateRevocationList | None

get_hierarchy_depth()[source]¶

Returns the depth of this CA in the hierarchy.

Returns:: The depth (0 for root CA, 1 for intermediate, etc.)
Return type:: int

get_root_ca()[source]¶

Returns the root CA in the hierarchy.

Returns:: The root CA (self if this is already a root CA).
Return type:: CaModel

get_all_child_cas(*, include_self=False)[source]¶

Returns all descendant CAs (children, grandchildren, etc.).

Parameters:: include_self (bool) – If True, includes this CA in the result.
Returns:: All descendant CAs.
Return type:: QuerySet

get_hierarchy_path()[source]¶

Returns the path from root CA to this CA.

Returns:: List of CAs from root to this CA (inclusive).
Return type:: list[CaModel]

is_root_ca()[source]¶

Returns True if this CA has no parent (is a root CA).

Returns:: True if this is a root CA.
Return type:: bool

revoke_all_issued_certificates(reason=RevokedCertificateModel.ReasonCode.UNSPECIFIED)[source]¶

Revokes all certificates issued by this CA.

Parameters:: reason (str)
Return type:: None

pre_delete()[source]¶

Checks for unexpired certificates issued by this CA and child CAs before deleting it.

Raises:: ValidationError – If there are unexpired certificates issued by this CA or if this CA has child CAs.
Return type:: None

post_delete()[source]¶

Deletes the underlying credential or certificate after deleting this CA.

Return type:: None

pki.models.ca.IssuingCaModel[source]¶