pan-chainguard is a Python3 application which uses CCADB data to derive intermediate certificate chains for trusted certificate authorities in PAN-OS so they can be preloaded as device certificates.
Many TLS enabled origin servers suffer from a misconfiguration in which they:
- Do not return intermediate CA certificates.
- Return certificates out of order.
- Return intermediate certificates which are not related to the CA which signed the server certificate.
The impact for PAN-OS SSL decryption administrators is end users will see errors such as unable to get local issuer certificate until the sites that are misconfigured are identified, the required intermediate certificates are obtained, and the certificates are imported into PAN-OS.
pan-chainguard uses the PAN-OS default trusted CA store and the All Certificate Information (root and intermediate) in CCADB (CSV) data file as input, and determines the intermediate certificate chains, if available, for each root CA certificate. These can then be added to PAN-OS as trusted CA device certificates.
By preloading known intermediates for the trusted CAs, the number of TLS connection errors that users encounter for misconfigured servers can be reduced, without reactive actions by an administrator.
Administrator's Guide:
https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst
pan-chainguard is available as a release on GitHub and as a package on PyPi.