pan-chainguard is a Python3 application which uses
CCADB data
to derive intermediate certificate chains for trusted
certificate authorities in PAN-OS so they can be
preloaded
as device certificates.
Many TLS enabled origin servers suffer from a misconfiguration in which they:
- Do not return intermediate CA certificates.
- Return certificates out of order.
- Return intermediate certificates which are not related to the CA which signed the server certificate.
The impact for PAN-OS SSL decryption administrators is end users will see errors such as unable to get local issuer certificate until the sites that are misconfigured are identified, the required intermediate certificates are obtained, and the certificates are imported into PAN-OS.
pan-chainguard uses the PAN-OS default trusted CA store and the
All Certificate Information (root and intermediate) in CCADB (CSV)
data file as input, and determines the intermediate certificate
chains, if available, for each root CA certificate. These can then be
added to PAN-OS as trusted CA device certificates.
By preloading known intermediates for the trusted CAs, the number of TLS connection errors that users encounter for misconfigured servers can be reduced, without reactive actions by an administrator.
Administrator's Guide:
https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst
pan-chainguard is available as a
release
on GitHub and as a
package
on PyPi.