Cross-signed certificate source

Name

  crosscert

Details

Type String
DHCP option number 175.93
ISC dhcpd syntax option ipxe.crosscert

Examples

Set the cross-signed certificate source manually

  iPXE> set crosscert http://ca.ipxe.org/auto

Configure the cross-signed certificate source in ISC dhcpd

  # in /etc/dhcpd.conf
  option space ipxe;
  option ipxe-encap-opts code 175 = encapsulate ipxe;
  option ipxe.crosscert code 93 = string;
  
  option ipxe.crosscert "http://ca.ipxe.org/auto";

Description

Specifies the source URI for cross-signed CA certificates.

If no URI is explicitly specified, then the default URI http://ca.ipxe.org/auto will be used.

See also

Notes

By default, iPXE contains only a single trusted root certificate (the “iPXE root CA” certificate). In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the “iPXE root CA” certificate. These cross-signed certificates are downloaded automatically when needed.

The current policy of ca.ipxe.org is to provide cross-signed certificates for almost all CAs that are trusted by the Firefox web browser. Certificates remain valid for 90 days. Cross-signed certificates are not provided for the following CAs:

  • China Internet Network Information Centre (CNNIC)1)

If you are booting using HTTPS on a private network with no access to http://ca.ipxe.org/auto then you may wish to create a local mirror, and use the crosscert setting to direct your clients to download the cross-signed certificates from your local mirror. For example:

  option ipxe.crosscert "http://192.168.0.10/pub/mirror/ca.ipxe.org/auto";

If you are using a local mirror, then you will also need to provide an OCSP proxy service.

There is no need to use HTTPS to download the cross-signed certificates. The cross-signed certificates are not automatically trusted simply because they have been downloaded from the server specified by the crosscert setting; they are trusted only because they have been signed by the “iPXE root CA” certificate.

 
cfg/crosscert.txt · Last modified: 2015/03/24 19:11 by mcb30
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.