Differences

This shows you the differences between two versions of the page.

crypto [2012/05/22 00:29]
mcb30
crypto [2014/03/28 19:00] (current)
mcb30
Line 33: Line 33:
Certificates must be in PEM format. Certificates must be in PEM format.
 +
 +{{ :clipart:warning.png?90x75|Warning}}
 +
 +The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default.  If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting).
 +
 +If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#embedded_certificates|embedding the full root certificate]] within the iPXE binary.
{{ :clipart:books.png?160x160|Some books}} {{ :clipart:books.png?160x160|Some books}}
Line 59: Line 65:
    preserve               = yes     preserve               = yes
    default_days           = 90     default_days           = 90
 +    unique_subject         = no
         
    [ policy_anything ]     [ policy_anything ]
Line 82: Line 89:
    openssl ca -config ca.cnf -in server.req -out server.crt     openssl ca -config ca.cnf -in server.req -out server.crt
-This will create a server certificate ''server.crt'' which is signed by your private root certificate.+This will create a server certificate ''server.crt'' which is signed by your private root certificate. You can optionally create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using: 
 + 
 +    cat server.crt ca.crt > server-full.crt
===== Cross-signing certificates ===== ===== Cross-signing certificates =====
Line 116: Line 125:
This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''. This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''.
 +
 +===== Embedded certificates =====
 +
 +You can embed one or more full certificates when you [[:download|build]] iPXE using the ''%%CERT=...%%'' build parameter.  For example:
 +
 +  make bin/ipxe.iso CERT=cert1.crt,cert2.crt
 +
 +Embedded certificates are not automatically trusted; you will need to specify any [[#trusted_root_certificates|trusted root certificates]] explicitly using the ''%%TRUST=...%%'' build parameter.  For example:
 +
 +  make bin/ipxe.iso CERT=ca.crt TRUST=ca.crt
 +
 +{{ :clipart:warning.png?90x75|Warning}}
 +
 +Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''[[:cfg:crosscert]]'' server).
===== Client certificates ===== ===== Client certificates =====
-You can embed a client certificate (and the corresponding private) key when you [[:download|build]] iPXE using the ''%%CERT=...%%'' and ''%%PRIVKEY=...%%'' build parameters.  For example, to use the client certificate ''client.crt'' with the corresponding private key in ''client.key'':+You can generate a client certificate ''client.crt'' and the corresponding private key ''client.key'' using: 
 + 
 +    openssl req -newkey rsa -keyout client.key -out client.req 
 +    openssl ca -config ca.cnf -in client.req -out client.crt 
 + 
 +You can embed this client certificate (and the corresponding private key) when you [[:download|build]] iPXE using the ''%%CERT=...%%'' and ''%%PRIVKEY=...%%'' build parameters.  For example:
  make bin/ipxe.iso CERT=client.crt PRIVKEY=client.key   make bin/ipxe.iso CERT=client.crt PRIVKEY=client.key
 
crypto.1337646577.txt.gz · Last modified: 2012/05/22 00:29 by mcb30
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.