Skip to content
/ pan-chainguard Public

Manage Root Store and Intermediate Certificate Chains on PAN-OS

License

View license
8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PaloAltoNetworks/pan-chainguard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
bin
bin
 
 
doc
doc
 
 
pan_chainguard
pan_chainguard
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
HISTORY.rst
HISTORY.rst
 
 
LICENSE.txt
LICENSE.txt
 
 
README.rst
README.rst
 
 
TODO.rst
TODO.rst
 
 
pyproject.toml
pyproject.toml
 
 
setup.cfg
setup.cfg
 
 

Repository files navigation

pan-chainguard - Manage Root Store and Intermediate Certificate Chains on PAN-OS

pan-chainguard is a Python3 application which uses CCADB data and allows PAN-OS SSL decryption administrators to:

  1. Create a custom, up-to-date trusted root store for PAN-OS.
  2. Determine intermediate certificate chains for trusted Certificate Authorities in PAN-OS so they can be preloaded as device certificates.

Issue 1

The PAN-OS root store (Default Trusted Certificate Authorities) is updated only in PAN-OS major software releases; it is not currently managed by content updates. The root store for PAN-OS 10.x.x releases is now over 4 years old.

The impact for PAN-OS SSL decryption administrators is when the root CA for the server certificate is not trusted, the firewall will provide the forward untrust certificate to the client. End users will then see errors such as NET::ERR_CERT_AUTHORITY_INVALID (Chrome) or SEC_ERROR_UNKNOWN_ISSUER (Firefox) until the missing trusted CAs are identified, the certificates are obtained, and the certificates are imported into PAN-OS.

Issue 2

Many TLS enabled origin servers suffer from a misconfiguration in which they:

  1. Do not return intermediate CA certificates.
  2. Return certificates out of order.
  3. Return intermediate certificates which are not related to the root CA for the server certificate.

The impact for PAN-OS SSL decryption administrators is end users will see errors such as unable to get local issuer certificate until the sites that are misconfigured are identified, the required intermediate certificates are obtained, and the certificates are imported into PAN-OS.

Solution 1: Create Custom Root Store

pan-chainguard can create a custom root store, using one or more of the major vendor root stores, which are managed by their CA certificate program:

The custom root store can then be added to PAN-OS as trusted CA device certificates.

Solution 2: Intermediate CA Preloading

pan-chainguard uses a root store and the All Certificate Information (root and intermediate) in CCADB (CSV) data file as input, and determines the intermediate certificate chains, if available, for each root CA certificate. These can then be added to PAN-OS as trusted CA device certificates.

By preloading known intermediates for the trusted CAs, the number of TLS connection errors that users encounter for misconfigured servers can be reduced, without reactive actions by an administrator.

Documentation

Install pan-chainguard

pan-chainguard is available as a release on GitHub and as a package on PyPi.

About

Manage Root Store and Intermediate Certificate Chains on PAN-OS

Resources

Readme

License

View license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

8 stars

Watchers

8 watching

Forks

4 forks
Report repository

Releases 8

0.7.0 Latest
Jan 3, 2025
+ 7 releases

Languages