pan-chainguard - Manage Root Store and Intermediate Certificate Chains on PAN-OS
================================================================================
``pan-chainguard`` is a Python3 application which uses
`CCADB data
<https://www.ccadb.org/resources>`_
and allows PAN-OS SSL decryption administrators to:
#. Create a custom, up-to-date trusted root store for PAN-OS.
#. Determine intermediate certificate chains for trusted Certificate
Authorities in PAN-OS so they can be `preloaded
<https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading>`_
as device certificates.
Issue 1
-------
The PAN-OS root store (*Default Trusted Certificate Authorities*) is
updated only in PAN-OS major software releases; it is not currently
managed by content updates. The root store for PAN-OS 10.x.x releases
is now over 4 years old.
The impact for PAN-OS SSL decryption administrators is when the root
CA for the server certificate is not trusted, the firewall will
provide the forward untrust certificate to the client. End users will
then see errors such as *NET::ERR_CERT_AUTHORITY_INVALID* (Chrome) or
*SEC_ERROR_UNKNOWN_ISSUER* (Firefox) until the missing trusted CAs are
identified, the certificates are obtained, and the certificates are
imported into PAN-OS.
Issue 2
-------
Many TLS enabled origin servers suffer from a misconfiguration in
which they:
#. Do not return intermediate CA certificates.
#. Return certificates out of order.
#. Return intermediate certificates which are not related to the root
CA for the server certificate.
The impact for PAN-OS SSL decryption administrators is end users will
see errors such as *unable to get local issuer certificate* until the
sites that are misconfigured are
`identified
<https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains>`_,
the required intermediate certificates are obtained, and the
certificates are imported into PAN-OS.
Solution 1: Create Custom Root Store
------------------------------------
``pan-chainguard`` can create a custom root store, using one or more
of the major vendor root stores, which are managed by their CA
certificate program:
+ `Mozilla <https://wiki.mozilla.org/CA>`_
+ `Apple <https://www.apple.com/certificateauthority/ca_program.html>`_
+ `Microsoft <https://aka.ms/RootCert>`_
+ `Google Chrome <https://g.co/chrome/root-policy>`_
The custom root store can then be added to PAN-OS as trusted CA device
certificates.
Solution 2: Intermediate CA Preloading
--------------------------------------
``pan-chainguard`` uses a root store and the
*All Certificate Information (root and intermediate) in CCADB (CSV)*
data file as input, and determines the intermediate certificate
chains, if available, for each root CA certificate. These can then be
added to PAN-OS as trusted CA device certificates.
By preloading known intermediates for the trusted CAs, the number of
TLS connection errors that users encounter for misconfigured servers
can be reduced, without reactive actions by an administrator.
Documentation
-------------
- Administrator's Guide:
https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst
Install ``pan-chainguard``
--------------------------
``pan-chainguard`` is available as a
`release
<https://github.com/PaloAltoNetworks/pan-chainguard/releases/>`_
on GitHub and as a
`package
<https://pypi.org/project/pan-chainguard/>`_
on PyPi.
Raw data
{
"_id": null,
"home_page": "https://github.com/PaloAltoNetworks/pan-chainguard",
"name": "pan-chainguard",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": null,
"author": "Palo Alto Networks, Inc.",
"author_email": "devrel@paloaltonetworks.com",
"download_url": "https://files.pythonhosted.org/packages/f5/17/943f9ac080d1953d751684e0ab634b8bac832410d9a15b7f6d9f555578f5/pan_chainguard-0.7.0.tar.gz",
"platform": null,
"description": "pan-chainguard - Manage Root Store and Intermediate Certificate Chains on PAN-OS\n================================================================================\n\n``pan-chainguard`` is a Python3 application which uses\n`CCADB data\n<https://www.ccadb.org/resources>`_\nand allows PAN-OS SSL decryption administrators to:\n\n#. Create a custom, up-to-date trusted root store for PAN-OS.\n#. Determine intermediate certificate chains for trusted Certificate\n Authorities in PAN-OS so they can be `preloaded\n <https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading>`_\n as device certificates.\n\nIssue 1\n-------\n\nThe PAN-OS root store (*Default Trusted Certificate Authorities*) is\nupdated only in PAN-OS major software releases; it is not currently\nmanaged by content updates. The root store for PAN-OS 10.x.x releases\nis now over 4 years old.\n\nThe impact for PAN-OS SSL decryption administrators is when the root\nCA for the server certificate is not trusted, the firewall will\nprovide the forward untrust certificate to the client. End users will\nthen see errors such as *NET::ERR_CERT_AUTHORITY_INVALID* (Chrome) or\n*SEC_ERROR_UNKNOWN_ISSUER* (Firefox) until the missing trusted CAs are\nidentified, the certificates are obtained, and the certificates are\nimported into PAN-OS.\n\nIssue 2\n-------\n\nMany TLS enabled origin servers suffer from a misconfiguration in\nwhich they:\n\n#. Do not return intermediate CA certificates.\n#. Return certificates out of order.\n#. Return intermediate certificates which are not related to the root\n CA for the server certificate.\n\nThe impact for PAN-OS SSL decryption administrators is end users will\nsee errors such as *unable to get local issuer certificate* until the\nsites that are misconfigured are\n`identified\n<https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains>`_,\nthe required intermediate certificates are obtained, and the\ncertificates are imported into PAN-OS.\n\nSolution 1: Create Custom Root Store\n------------------------------------\n\n``pan-chainguard`` can create a custom root store, using one or more\nof the major vendor root stores, which are managed by their CA\ncertificate program:\n\n+ `Mozilla <https://wiki.mozilla.org/CA>`_\n+ `Apple <https://www.apple.com/certificateauthority/ca_program.html>`_\n+ `Microsoft <https://aka.ms/RootCert>`_\n+ `Google Chrome <https://g.co/chrome/root-policy>`_\n\nThe custom root store can then be added to PAN-OS as trusted CA device\ncertificates.\n\nSolution 2: Intermediate CA Preloading\n--------------------------------------\n\n``pan-chainguard`` uses a root store and the\n*All Certificate Information (root and intermediate) in CCADB (CSV)*\ndata file as input, and determines the intermediate certificate\nchains, if available, for each root CA certificate. These can then be\nadded to PAN-OS as trusted CA device certificates.\n\nBy preloading known intermediates for the trusted CAs, the number of\nTLS connection errors that users encounter for misconfigured servers\ncan be reduced, without reactive actions by an administrator.\n\nDocumentation\n-------------\n\n- Administrator's Guide:\n\n https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst\n\nInstall ``pan-chainguard``\n--------------------------\n\n``pan-chainguard`` is available as a\n`release\n<https://github.com/PaloAltoNetworks/pan-chainguard/releases/>`_\non GitHub and as a\n`package\n<https://pypi.org/project/pan-chainguard/>`_\non PyPi.\n",
"bugtrack_url": null,
"license": "ISC",
"summary": "Manage Root Store and Intermediate Certificate Chains on PAN-OS",
"version": "0.7.0",
"project_urls": {
"Homepage": "https://github.com/PaloAltoNetworks/pan-chainguard"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "2c39d01716289c13e4cde8d34b3c8d08855659e0ea34103d823a1d527db09700",
"md5": "52a916d46f9f3f3f937c7cd5e4132920",
"sha256": "3c877fb46f55abd7fbf2327335f371181c1ab763c4559fd24596f7898e5929f9"
},
"downloads": -1,
"filename": "pan_chainguard-0.7.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "52a916d46f9f3f3f937c7cd5e4132920",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 31246,
"upload_time": "2025-01-03T01:18:54",
"upload_time_iso_8601": "2025-01-03T01:18:54.488784Z",
"url": "https://files.pythonhosted.org/packages/2c/39/d01716289c13e4cde8d34b3c8d08855659e0ea34103d823a1d527db09700/pan_chainguard-0.7.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "f517943f9ac080d1953d751684e0ab634b8bac832410d9a15b7f6d9f555578f5",
"md5": "b156fa578ac143a0746a932402cd7529",
"sha256": "1ba51809141e47543200156f908b7c70d87141ccf9d41769d5517a40cb1631ef"
},
"downloads": -1,
"filename": "pan_chainguard-0.7.0.tar.gz",
"has_sig": false,
"md5_digest": "b156fa578ac143a0746a932402cd7529",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 21999,
"upload_time": "2025-01-03T01:18:56",
"upload_time_iso_8601": "2025-01-03T01:18:56.619930Z",
"url": "https://files.pythonhosted.org/packages/f5/17/943f9ac080d1953d751684e0ab634b8bac832410d9a15b7f6d9f555578f5/pan_chainguard-0.7.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-03 01:18:56",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "PaloAltoNetworks",
"github_project": "pan-chainguard",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "pan-chainguard"
}
JSON
