Manage Root Store and Intermediate Certificate Chains on PAN-OS
Project description
Overview
pan-chainguard is a Python application which uses CCADB data and allows PAN-OS SSL decryption administrators to:
Create a custom, up-to-date trusted root store for PAN-OS.
Determine intermediate certificate chains for trusted Certificate Authorities in PAN-OS so they can be preloaded as device certificates.
Issue 1: Out-of-date Root Store
The PAN-OS root store (Default Trusted Certificate Authorities) is updated only in PAN-OS major software releases; it is not currently managed by content updates. The root store for PAN-OS 10.x.x releases is now over 4 years old.
The impact for PAN-OS SSL decryption administrators is when the root CA for the server certificate is not trusted, the firewall will provide the forward untrust certificate to the client. End users will then see errors such as NET::ERR_CERT_AUTHORITY_INVALID (Chrome) or SEC_ERROR_UNKNOWN_ISSUER (Firefox) until the missing trusted CAs are identified, the certificates are obtained, and the certificates are imported into PAN-OS.
Issue 2: Misconfigured Servers
Many TLS enabled origin servers suffer from a misconfiguration in which they:
Do not return intermediate CA certificates.
Return certificates out of order.
Return intermediate certificates which are not related to the root CA for the server certificate.
The impact for PAN-OS SSL decryption administrators is end users will see errors such as unable to get local issuer certificate until the sites that are misconfigured are identified, the required intermediate certificates are obtained, and the certificates are imported into PAN-OS.
Solution 1: Create Custom Root Store
pan-chainguard can create a custom root store, using one or more of the major vendor root stores, which are managed by their CA certificate program:
The custom root store can then be added to PAN-OS as trusted CA device certificates.
Solution 2: Intermediate CA Preloading
pan-chainguard uses a root store and the All Certificate Information (root and intermediate) in CCADB (CSV) data file as input, and determines the intermediate certificate chains, if available, for each root CA certificate. These can then be added to PAN-OS as trusted CA device certificates.
By preloading known intermediates for the trusted CAs, the number of TLS connection errors that users encounter for misconfigured servers can be reduced, without reactive actions by an administrator.
Documentation
Administrator’s Guide:
https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst
Install pan-chainguard
pan-chainguard is available as a release on GitHub and as a package on PyPi.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pan_chainguard-0.8.0.tar.gz.
File metadata
- Download URL: pan_chainguard-0.8.0.tar.gz
- Upload date:
- Size: 23.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d789bb18e242cd726d696eb59b72ef03e50d21f78101fa1f6cc56bef4b4e2535 |
|
| MD5 | 319d97560aea522396e2594c9749ffbd |
|
| BLAKE2b-256 | a5c1096212d8965bd53a0a35ef5500c4dc8e5d30e78082ad6dca8b1e69a3bc5b |
File details
Details for the file pan_chainguard-0.8.0-py3-none-any.whl.
File metadata
- Download URL: pan_chainguard-0.8.0-py3-none-any.whl
- Upload date:
- Size: 32.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 11a69c35fd30c0c08bc1ccad9acc8e1153a50f416f946b684a52827c515c13f3 |
|
| MD5 | 3a5dc425b56aa5c07760cf809fa169f0 |
|
| BLAKE2b-256 | 968ed00703f8cfe2e013167d400e8f49806ee4fadff8cde40a77fe20e6f0c310 |
