Differences

This shows you the differences between two versions of the page.

cfg:crosscert [2012/05/15 12:29]
mcb30
cfg:crosscert [2015/03/24 19:11] (current)
mcb30
Line 42: Line 42:
By default, iPXE contains only a single trusted root certificate (the "iPXE root CA" certificate).  In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the "iPXE root CA" certificate.  These cross-signed certificates are downloaded automatically when needed. By default, iPXE contains only a single trusted root certificate (the "iPXE root CA" certificate).  In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the "iPXE root CA" certificate.  These cross-signed certificates are downloaded automatically when needed.
-The current policy of ''ca.ipxe.org'' is to provide cross-signed certificates for all CAs that are trusted by the [[http://www.mozilla.org/firefox/|Firefox]] web browser.  Certificates remain valid for 90 days.+The current policy of ''ca.ipxe.org'' is to provide cross-signed certificates for almost all CAs that are trusted by the [[http://www.mozilla.org/firefox/|Firefox]] web browser.  Certificates remain valid for 90 days. Cross-signed certificates are not provided for the following CAs: 
 + 
 +  * China Internet Network Information Centre (CNNIC)((Following the issuance of an [[http://googleonlinesecurity.blogspot.co.uk/2015/03/maintaining-digital-certificate-security.html|unrestricted intermediate CA certificate used in an eavesdropping proxy server]]))
If you are booting using HTTPS on a private network with no access to [[http://ca.ipxe.org/auto]] then you may wish to create a local mirror, and use the ''crosscert'' setting to direct your clients to download the cross-signed certificates from your local mirror.  For example: If you are booting using HTTPS on a private network with no access to [[http://ca.ipxe.org/auto]] then you may wish to create a local mirror, and use the ''crosscert'' setting to direct your clients to download the cross-signed certificates from your local mirror.  For example:
 
cfg/crosscert.1337081360.txt.gz · Last modified: 2012/05/15 12:29 by mcb30
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.