pki.models.ca

Module that contains the CaModel.

Module Contents

pki.models.ca.MIN_CRL_CYCLE_INTERVAL_HOURS = 0.0833[source]
class pki.models.ca.CaModel(*args, **kwargs)[source]

Bases: trustpoint.logger.LoggerMixin, util.db.CustomDeleteActionModel

Generic CA Model representing any Certificate Authority.

This unified model can represent two types of CAs: 1. Keyless CAs: CAs where we only have the certificate (no private key).

Used for trust anchors, upstream CAs, certificate chain validation.

  1. Issuing CAs: CAs managed by Trustpoint that can issue certificates.

For keyless CAs: Only ‘certificate’ field is set, ‘credential’ is null, ca_type is KEYLESS. For issuing CAs: ‘credential’ and ‘ca_type’ are set, ‘certificate’ is null.

class CaTypeChoice(*args, **kwds)[source]

Bases: django.db.models.IntegerChoices

The CaTypeChoice defines the type of CA.

Depending on the type, different fields are required: - KEYLESS: Only certificate field is set (no private key) - LOCAL issuing types: credential field is set, certificate obtained locally - REMOTE issuing types: credential field is set, certificate requested remotely - REMOTE RA types: no credential/certificate, used for connection to external CAs as Registration Authority

KEYLESS[source]
AUTOGEN_ROOT[source]
AUTOGEN[source]
LOCAL_UNPROTECTED[source]
LOCAL_PKCS11[source]
REMOTE_EST_RA[source]
REMOTE_CMP_RA[source]
REMOTE_ISSUING_EST[source]
REMOTE_ISSUING_CMP[source]
unique_name[source]
parent_ca[source]
is_active[source]
created_at[source]
updated_at[source]
ca_type[source]
certificate[source]
credential: django.db.models.OneToOneField[pki.models.credential.CredentialModel | None][source]
chain_truststore[source]
remote_host[source]
remote_port[source]
remote_path[source]
est_username[source]
onboarding_config[source]
no_onboarding_config[source]
crl_cycle_enabled[source]
crl_cycle_interval_hours[source]
crl_validity_hours[source]
last_crl_generation_started_at[source]
auto_crl_on_revocation_enabled[source]
class Meta[source]

Meta options for CaModel.

verbose_name[source]
verbose_name_plural[source]
db_table = 'pki_genericcamodel'[source]
ordering: ClassVar[list[str]] = ['unique_name'][source]
constraints: ClassVar[list[django.db.models.BaseConstraint]][source]
property is_issuing_ca: bool[source]

Returns True if this is an issuing CA (can issue certificates).

Return type:

bool

property is_keyless_ca: bool[source]

Returns True if this is a keyless CA, or a remote RA with a certificate.

Return type:

bool

property common_name: str[source]

Returns common name, or a placeholder if missing.

Return type:

str

property subject_public_bytes: bytes[source]

Returns the subject public bytes from the CA certificate, or b’’ if missing.

Return type:

bytes

property ca_certificate_model: pki.models.certificate.CertificateModel | None[source]

Returns the CA certificate model for both issuing and keyless CAs, or None if missing.

Return type:

pki.models.certificate.CertificateModel | None

get_certificate()[source]

Returns the CA certificate (crypto object) for both issuing and keyless CAs, or None if missing.

Return type:

cryptography.x509.Certificate | None

get_credential()[source]

Returns the credential for issuing CAs, or None if not present.

Return type:

pki.models.credential.CredentialModel | None

get_ca_chain_from_truststore()[source]

Returns the CA chain from the associated chain_truststore.

This method validates that the chain_truststore contains certificates that correspond to CAs in the hierarchy path, and returns the CA objects in issuing CA to root order.

Returns:

List of CA models from issuing CA to root CA.

Return type:

list[CaModel]

Raises:

ValueError – If the chain_truststore is not properly configured or contains invalid certificates.

property last_crl_issued_at: datetime.datetime | None[source]

Returns when the last CRL was issued (from active CRL).

Returns:

The this_update time of the active CRL, or None if no CRL exists.

Return type:

datetime | None

property crl_number: int[source]

Returns the current CRL number (from active CRL).

Returns:

The CRL number of the active CRL, or 0 if no CRL exists.

Return type:

int

property crl_pem: str[source]

Returns the active CRL in PEM format.

Returns:

The CRL in PEM format, or empty string if no CRL exists.

Return type:

str

property next_crl_generation_scheduled_at: datetime.datetime | None[source]

Returns when the next CRL generation is scheduled.

Returns:

The scheduled time for the next CRL generation, or None if not enabled or not scheduled.

Return type:

datetime | None

clean()[source]

Validates that exactly one of certificate or credential is set.

Return type:

None

save(*args, **kwargs)[source]

Override save to ensure validation.

Parameters:
  • args (Any)

  • kwargs (Any)

Return type:

None

classmethod create_keyless_ca(unique_name, certificate_obj, parent_ca=None)[source]

Creates a new keyless CA from a certificate.

Parameters:
  • unique_name (str) – The unique name that will be used to identify the CA.

  • certificate_obj (cryptography.x509.Certificate) – The CA certificate as cryptography x509.Certificate.

  • parent_ca (CaModel | None) – Optional parent CA in the hierarchy.

Returns:

The newly created keyless CA.

Return type:

CaModel

Raises:

ValidationError – If the certificate is not a valid CA certificate.

classmethod create_new_issuing_ca(credential_serializer, ca_type=None, unique_name=None, parent_ca=None)[source]

Creates a new Issuing CA model.

Parameters:
  • credential_serializer (trustpoint_core.serializer.CredentialSerializer) – The credential as CredentialSerializer instance. It will be normalized and validated, if it is a valid credential to be used as an Issuing CA.

  • ca_type (CaModel | None) – The CA type (must be an issuing type, not KEYLESS).

  • unique_name (str | None) – The unique name for the CA. If not provided, will be auto-generated from certificate common name.

  • parent_ca (CaModel | None) – Optional parent CA in the hierarchy.

Returns:

The newly created Issuing CA model.

Return type:

CaModel

Raises:
  • ValidationError – If the certificate is not a valid CA certificate.

  • ValueError – If the CA type is not supported

issue_crl(crl_validity_hours=24)[source]

Issues a CRL with revoked certificates issued by this CA.

Parameters:

crl_validity_hours (int) – Hours until the next CRL update (nextUpdate field). Defaults to 24.

Returns:

True if the CRL was successfully issued, False otherwise.

Return type:

bool

property signature_suite: trustpoint_core.oid.SignatureSuite | None[source]

The signature suite for the CA public key certificate, or None if missing.

Return type:

trustpoint_core.oid.SignatureSuite | None

property public_key_info: trustpoint_core.oid.PublicKeyInfo | None[source]

The public key info for the CA certificate’s public key.

Returns None if the CA doesn’t have a certificate yet (e.g., remote CA pending).

Return type:

trustpoint_core.oid.PublicKeyInfo | None

get_issued_certificates()[source]

Returns certificates issued by this CA, except its own in case of a self-signed CA.

This goes through all active certificates and checks issuance by this CA based on cert.issuer_public_bytes == ca.subject_public_bytes.

Warning

This means that it may inadvertently return certificates that were issued by a different CA with the same subject name.

Returns:

Certificates issued by this CA, or empty queryset for RAs/keyless CAs.

Return type:

QuerySet

import_crl(crl_pem, *, set_active=True)[source]

Imports a CRL for this CA.

Parameters:
  • crl_pem (str) – The CRL in PEM format.

  • set_active (bool) – If True, this CRL becomes the active one for the CA.

Returns:

The created CRL model.

Return type:

CrlModel

Raises:

ValidationError – If the CRL is invalid or doesn’t match this CA.

get_active_crl()[source]

Returns the currently active CRL for this CA.

Returns:

The active CRL or None if no CRL exists.

Return type:

CrlModel | None

get_latest_crl()[source]

Returns the most recent CRL for this CA (by this_update).

Returns:

The latest CRL or None if no CRL exists.

Return type:

CrlModel | None

get_crl_as_crypto()[source]

Returns the active CRL as a cryptography CertificateRevocationList object.

Returns:

The CRL or None if no active CRL is available.

Return type:

x509.CertificateRevocationList | None

schedule_next_crl_generation(*, post_revocation_crl=False)[source]

Schedule the next CRL generation task for this CA using Django-Q2.

Creates a scheduled task in Django-Q2 that will execute at the calculated time. The task will automatically trigger CRL generation without manual intervention.

Parameters:

post_revocation_crl (bool)

Return type:

None

get_hierarchy_depth()[source]

Returns the depth of this CA in the hierarchy.

Returns:

The depth (0 for root CA, 1 for intermediate, etc.)

Return type:

int

get_root_ca()[source]

Returns the root CA in the hierarchy.

Returns:

The root CA (self if this is already a root CA).

Return type:

CaModel

get_all_child_cas(*, include_self=False)[source]

Returns all descendant CAs (children, grandchildren, etc.).

Parameters:

include_self (bool) – If True, includes this CA in the result.

Returns:

All descendant CAs.

Return type:

QuerySet

get_hierarchy_path()[source]

Returns the path from root CA to this CA.

Returns:

List of CAs from root to this CA (inclusive).

Return type:

list[CaModel]

is_root_ca()[source]

Returns True if this CA has no parent (is a root CA).

Returns:

True if this is a root CA.

Return type:

bool

revoke_all_issued_certificates(reason=RevokedCertificateModel.ReasonCode.UNSPECIFIED)[source]

Revokes all certificates issued by this CA.

Parameters:

reason (str)

Return type:

None

pre_delete()[source]

Checks for unexpired certificates issued by this CA and child CAs before deleting it.

Raises:

ValidationError – If there are unexpired certificates issued by this CA or if this CA has child CAs.

Return type:

None

post_delete()[source]

Deletes the underlying credential or certificate after deleting this CA.

Return type:

None

property display_not_valid_after: datetime.datetime | None[source]

Returns the not valid after date for display purposes.

Return type:

datetime.datetime | None