Skip to main content

Django app implementing TLS Authentication - simple client certificate CA inclusive

Project description

* Django-TLSAuth

Django-TLSAuth integrates a minimal certificate authority (CA) and
implements TLS client certificate authentication. It depends on nginx
for handling the TLS authentication part.

** Installation
pip install django_tlsauth
Django-TLSAuth depends on tlsauth which provides minimal tools to
act as a CA. Please follow the "CA and https service install" steps
from to set up your webserver and CA.

After setting up the CA, you should also configure it in django,
put something like this with adjusted paths into your
#+BEGIN_SRC python
from tlsauth import CertAuthority

TLS_SCRUTINIZER=None # supply your own function authorizing automatic signatures
TLS_BLINDSIGN=False # blindly sign incoming CSRs

If you want to enable the admin to the mini-CA add to your
#+BEGIN_SRC python
url(r'^tlsauth/', include('django_tlsauth.urls')),

** tlsauth decorator
Django-TLSAuth provides a simple decorator to guard your entry points:
#+BEGIN_SRC python
from django.http import HttpResponse, HttpResponseRedirect
from django_tlsauth.views import tlsauth

def unauth(request):
return HttpResponseRedirect('/')

@tlsauth(unauth=unauth, groups=['helloworldophobians'])
def hello(request):
return HttpResponse("hello world")

** Managing certs
Django-TLSAuth provides a few default routes to manage the certs and
the CA.

*** /tlsauth/register/
Visitors can register like on a normal site, but when done, they get a
PKCS12 certificate ready to be saved and imported in all
browsers. This is totally automatic and there's no check if the
specified organization is not a privileged one (like "CA admins" in
the above example). This really provides no security, for bots and
scripts it's even easier to use these certs than for normal humans.
Other mechanisms must be deployed to provide meaningful authentication.

*** /tlsauth/certify/
Visitors can submit their Certificate Signing Request (can be easily
generated using from tlsauth), which depending on
configuration either returns automatically a signed certificate (no
meaningful authentication this way, avoid this!), or it gets stored
for later approval by the "CA admins".

*** /tlsauth/cert/
Returns the CA root certificate in PEM format, for import into your browser.

*** /tlsauth/csrs/
Displays a list of incoming CSRs to any certified member of the "CA
admin" group. The certs can be either rejected or signed, in the later
case the resulting certificate is sent to the email address of the

*** /tlsauth/test/
Displays whether you are TLS authenticated and what your distinguished name is.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django_tlsauth, version 0.1.2
Filename, size File type Python version Upload date Hashes
Filename, size django_tlsauth-0.1.2-py2.7.egg (17.7 kB) File type Egg Python version 2.7 Upload date Hashes View
Filename, size django_tlsauth-0.1.2.tar.gz (7.5 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page