Manage Chrome-trusted CA certificates in Palo Alto Strata Cloud Manager
Project description
scm-chainguard
Manage Trusted CA certificates for Outbound Decryption in Strata Cloud Manager
Beta: This project is under active development. APIs, CLI flags, and behavior may change between releases. Use
--dry-runto preview changes before applying them.
Overview
scm-chainguard keeps your Strata Cloud Manager SSL decryption trust store in sync with the Chrome Root Store maintained by CCADB. It downloads the latest Chrome-trusted root (and optionally intermediate) CA certificates, compares them against what is already configured in SCM, imports any missing certificates, and adds them to the trusted root CA list used for SSL decryption.
All managed certificates are prefixed with CG_ so they can be identified and cleaned up independently.
Features
- Fetch Chrome-trusted root and intermediate CA certificates from CCADB
- Compare local certificates against SCM predefined and imported certificate stores
- Sync missing certificates into SCM and configure them as trusted roots
- Cleanup expired
CG_-managed certificates from SCM - Dry-run mode for all write operations
Requirements
- Python >= 3.11
- An SCM service account with
client_id,client_secret, andtsg_id
Installation
pip install scm-chainguard
Or install from source:
git clone https://gitlab.com/dephell/scm-chainguard.git
cd scm-chainguard
pip install -e "."
Configuration
Set environment variables:
export SCM_CLIENT_ID="your-client-id"
export SCM_CLIENT_SECRET="your-client-secret"
export SCM_TSG_ID="your-tsg-id"
Or use a YAML config file:
scm:
client_id: "your-client-id"
client_secret: "your-client-secret"
tsg_id: "your-tsg-id"
Quick Start
# Download Chrome-trusted root CAs from CCADB
scm-chainguard fetch
# Compare local certs against SCM
scm-chainguard compare
# Import missing certs and add as trusted roots (dry-run first)
scm-chainguard sync --dry-run
scm-chainguard sync
# Full pipeline: fetch -> compare -> sync
scm-chainguard run --dry-run
scm-chainguard run
# Remove expired CG_-managed certificates
scm-chainguard cleanup --dry-run
scm-chainguard cleanup
Common Options
| Option | Description |
|---|---|
--config / -c |
Path to YAML config file |
--debug |
Enable debug logging |
--log-file |
Write logs to file |
--dry-run / -n |
Show what would be done without making changes |
--include-intermediates / -i |
Include intermediate certificates |
Disclaimer
scm-chainguard currently imports all certificates in the 'Global' folder due to an existing SCM API Implementation.
License
Apache 2.0
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file scm_chainguard-0.0.4.tar.gz.
File metadata
- Download URL: scm_chainguard-0.0.4.tar.gz
- Upload date:
- Size: 35.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
31ba5f51e932e5e0095bc298ce4b392ae6e5049629ebd4ac9c7433794dd38007
|
|
| MD5 |
c64eae4a79cb057edb7dd3bc6fc4ce7c
|
|
| BLAKE2b-256 |
b1d1fdcbaf8e785e7281abe04e90e7de297eff0cffcfee88bb73864a90b5f9db
|
File details
Details for the file scm_chainguard-0.0.4-py3-none-any.whl.
File metadata
- Download URL: scm_chainguard-0.0.4-py3-none-any.whl
- Upload date:
- Size: 31.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8f640ee0cb32cf72f58e485cdefc192bcfa564aa1b92758db7cbd2f0867e3d04
|
|
| MD5 |
0bdc5bde759602e8d495293cfa8e652c
|
|
| BLAKE2b-256 |
1f2128c141b8b2e46fdeca8fc418f40821c4509a8cea46de455d66daf6d1bd9e
|
