openwisp · nemesifier · Jan 30, 2026 · Jan 11, 2026 · Jan 11, 2026 · Jan 11, 2026
diff --git a/django_x509/base/models.py b/django_x509/base/models.py
@@ -19,12 +19,23 @@
 from .. import settings as app_settings
 
 KEY_LENGTH_CHOICES = (
+    ("256", "256"),
+    ("384", "384"),
+    ("521", "521"),
     ("512", "512"),
     ("1024", "1024"),
     ("2048", "2048"),
     ("4096", "4096"),
 )
 
+KEY_TYPE_CHOICES = (
+    ("rsa", "RSA"),
+    ("ec", "Elliptic Curve"),
+)
+
+RSA_KEY_LENGTHS = ("512", "1024", "2048", "4096")
+EC_KEY_LENGTHS = ("256", "384", "521")
+
 DIGEST_CHOICES = (
     ("sha1", "SHA1"),
     ("sha224", "SHA224"),
@@ -148,6 +159,9 @@ class BaseX509(models.Model):
         blank=True,
         help_text=_("Passphrase for the private key, if present"),
     )
+    key_type = models.CharField(
+        _("key type"), max_length=3, choices=KEY_TYPE_CHOICES, default="rsa"
+    )
 
     class Meta:
         abstract = True
@@ -178,6 +192,20 @@ def clean(self):
         if self.serial_number:
             self._validate_serial_number()
         self._verify_extension_format()
+        if self.key_type == "rsa" and self.key_length in EC_KEY_LENGTHS:
+            raise ValidationError(
+                {
+                    "key_length": _(
+                        "Selected length is only valid for Elliptic Curve keys. "
+                        "RSA keys must use 512, 1024, 2048, or 4096 bits."
+                    )
+                }
+            )
+
+        if self.key_type == "ec" and self.key_length in RSA_KEY_LENGTHS:
+            raise ValidationError(
+                {"key_length": _("Selected length is not valid for Elliptic Curve.")}
+            )
 
     def save(self, *args, **kwargs):
         if self._state.adding and not self.certificate and not self.private_key:
@@ -280,10 +308,25 @@ def _generate(self):
         for attr in ["x509", "pkey"]:
             if attr in self.__dict__:
                 del self.__dict__[attr]
-        key = rsa.generate_private_key(
-            public_exponent=65537,
-            key_size=int(self.key_length),
-        )
+        if self.key_type == "rsa":
+            key = rsa.generate_private_key(
+                public_exponent=65537,
+                key_size=int(self.key_length),
+            )
+        elif self.key_type == "ec":
+            curves = {
+                "256": ec.SECP256R1(),
+                "384": ec.SECP384R1(),
+                "521": ec.SECP521R1(),
+            }
+            curve = curves.get(self.key_length)
+            if not curve:
+                raise ValidationError(
+                    _("Unsupported EC key length: %s") % self.key_length
+                )
+            key = ec.generate_private_key(curve)
+        else:
+            raise ValidationError(_("Unsupported key type: %s") % self.key_type)
         if hasattr(self, "ca"):
             signing_key = self.ca.pkey
             issuer_name = self.ca.x509.subject
@@ -307,7 +350,11 @@ def _generate(self):
             "sha384": hashes.SHA384,
             "sha512": hashes.SHA512,
         }
-        digest_name = self.digest.lower().replace("withrsaencryption", "")
+        digest_name = (
+            self.digest.lower()
+            .replace("withrsaencryption", "")
+            .replace("ecdsa-with-", "")
+        )
         digest_alg = HASH_MAP.get(digest_name, hashes.SHA256)()
         cert = builder.sign(signing_key, digest_alg)
         self.certificate = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
@@ -318,7 +365,11 @@ def _generate(self):
         )
         self.private_key = key.private_bytes(
             encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            format=(
+                serialization.PrivateFormat.PKCS8
+                if self.key_type == "ec"
+                else serialization.PrivateFormat.TraditionalOpenSSL
+            ),
             encryption_algorithm=encryption,
         ).decode("utf-8")
 
@@ -352,6 +403,20 @@ def _import(self):
         imports existing x509 certificates
         """
         cert = self.x509
+        public_key = cert.public_key()
+        if isinstance(public_key, rsa.RSAPublicKey):
+            self.key_type = "rsa"
+            self.key_length = str(public_key.key_size)
+        elif isinstance(public_key, ec.EllipticCurvePublicKey):
+            self.key_type = "ec"
+            self.key_length = str(public_key.curve.key_size)
+        else:
+            raise ValidationError(
+                _(
+                    "Unsupported key type in certificate. "
+                    "Only RSA and EC keys are supported."
+                )
+            )
         # when importing an end entity certificate
         if hasattr(self, "ca"):
             self._verify_ca()
@@ -366,7 +431,6 @@ def _import(self):
             email = str(attrs[0].value) if attrs else ""
 
         self.email = email
-        self.key_length = str(cert.public_key().key_size)
         self.digest = cert.signature_hash_algorithm.name.lower()
         self.validity_start = cert.not_valid_before_utc
         self.validity_end = cert.not_valid_after_utc

diff --git a/django_x509/migrations/0010_ca_key_type_cert_key_type_alter_ca_key_length_and_more.py b/django_x509/migrations/0010_ca_key_type_cert_key_type_alter_ca_key_length_and_more.py
@@ -0,0 +1,72 @@
+# Generated by Django 5.2.9 on 2026-01-11 10:50
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0009_alter_ca_digest_alter_ca_key_length_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ca",
+            name="key_type",
+            field=models.CharField(
+                choices=[("rsa", "RSA"), ("ec", "Elliptic Curve")],
+                default="rsa",
+                max_length=3,
+                verbose_name="key type",
+            ),
+        ),
+        migrations.AddField(
+            model_name="cert",
+            name="key_type",
+            field=models.CharField(
+                choices=[("rsa", "RSA"), ("ec", "Elliptic Curve")],
+                default="rsa",
+                max_length=3,
+                verbose_name="key type",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("224", "224"),
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("224", "224"),
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]
diff --git a/django_x509/migrations/0011_alter_ca_key_length_alter_cert_key_length.py b/django_x509/migrations/0011_alter_ca_key_length_alter_cert_key_length.py
@@ -0,0 +1,54 @@
+# Generated by Django 5.2.9 on 2026-01-11 11:10
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0010_ca_key_type_cert_key_type_alter_ca_key_length_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("224", "224"),
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("521", "521"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("224", "224"),
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("521", "521"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]
diff --git a/django_x509/migrations/0012_alter_ca_key_length_alter_cert_key_length.py b/django_x509/migrations/0012_alter_ca_key_length_alter_cert_key_length.py
@@ -0,0 +1,52 @@
+# Generated by Django 5.2.9 on 2026-01-11 11:47
+
+import django_x509.base.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("django_x509", "0011_alter_ca_key_length_alter_cert_key_length"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="ca",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("521", "521"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="cert",
+            name="key_length",
+            field=models.CharField(
+                choices=[
+                    ("256", "256"),
+                    ("384", "384"),
+                    ("521", "521"),
+                    ("512", "512"),
+                    ("1024", "1024"),
+                    ("2048", "2048"),
+                    ("4096", "4096"),
+                ],
+                default=django_x509.base.models.default_key_length,
+                help_text="bits",
+                max_length=6,
+                verbose_name="key length",
+            ),
+        ),
+    ]