Metadata-Version: 2.1
Name: pan-chainguard
Version: 0.2.0
Summary: Preload Trusted CA Intermediate Certificate Chains on PAN-OS
Home-page: https://github.com/PaloAltoNetworks/pan-chainguard
Author: Palo Alto Networks, Inc.
Author-email: devrel@paloaltonetworks.com
License: ISC
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: ISC License (ISCL)
Requires-Python: >=3.9
Description-Content-Type: text/x-rst
License-File: LICENSE.txt
Requires-Dist: aiohttp>=3.9.0
Requires-Dist: pan-python>=0.25.0

pan-chainguard - Preload Trusted CA Intermediate Certificate Chains on PAN-OS
=============================================================================

``pan-chainguard`` is a Python3 application which uses
`CCADB data
<https://www.ccadb.org/resources>`_
to derive intermediate certificate chains for trusted
certificate authorities in PAN-OS so they can be
`preloaded
<https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading>`_
as device certificates.

Problem
-------

Many TLS enabled origin servers suffer from a misconfiguration in
which they:

#. Do not return intermediate CA certificates.
#. Return certificates out of order.
#. Return intermediate certificates which are not related to the CA
   which signed the server certificate.

The impact for PAN-OS SSL decryption administrators is end users will
see errors such as *unable to get local issuer certificate* until the
sites that are misconfigured are
`identified
<https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains>`_,
the required intermediate certificates are obtained, and the
certificates are imported into PAN-OS.

Solution: Intermediate CA Preloading
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

``pan-chainguard`` uses the PAN-OS default trusted CA store and the
*All Certificate Information (root and intermediate) in CCADB (CSV)*
data file as input, and determines the intermediate certificate
chains, if available, for each root CA certificate.  These can then be
added to PAN-OS as trusted CA device certificates.

By preloading known intermediates for the trusted CAs, the number of
TLS connection errors that users encounter for misconfigured servers
can be reduced, without reactive actions by an administrator.

Documentation
-------------

- Administrator's Guide:

  https://github.com/PaloAltoNetworks/pan-chainguard/blob/main/doc/admin-guide.rst

Install ``pan-chainguard``
--------------------------

``pan-chainguard`` is available as a
`release
<https://github.com/PaloAltoNetworks/pan-chainguard/releases/>`_
on GitHub and as a
`package
<https://pypi.org/project/pan-chainguard/>`_
on PyPi.
