Cross-signed certificate source

Name

  crosscert

Details

Type String
DHCP option number 175.93
ISC dhcpd syntax option ipxe.crosscert

Examples

Set the cross-signed certificate source manually

  iPXE> set crosscert http://ca.ipxe.org/auto

Configure the cross-signed certificate source in ISC dhcpd

  # in /etc/dhcpd.conf
  option space ipxe;
  option ipxe-encap-opts code 175 = encapsulate ipxe;
  option ipxe.crosscert code 93 = string;
  
  option ipxe.crosscert "http://ca.ipxe.org/auto";

Description

Specifies the source URI for cross-signed CA certificates.

If no URI is explicitly specified, then the default URI http://ca.ipxe.org/auto will be used.

See also

Notes

By default, iPXE contains only a single trusted root certificate (the “iPXE root CA” certificate). In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the “iPXE root CA” certificate. These cross-signed certificates are downloaded automatically when needed.

The current policy of ca.ipxe.org is to provide cross-signed certificates for almost all CAs that are trusted by the Firefox web browser. Certificates remain valid for 90 days. Cross-signed certificates are not provided for the following CAs:

  • China Internet Network Information Centre (CNNIC)1)

If you are booting using HTTPS on a private network with no access to http://ca.ipxe.org/auto then you may wish to create a local mirror, and use the crosscert setting to direct your clients to download the cross-signed certificates from your local mirror. For example:

  option ipxe.crosscert "http://192.168.0.10/pub/mirror/ca.ipxe.org/auto";

If you are using a local mirror, then you will also need to provide an OCSP proxy service.

There is no need to use HTTPS to download the cross-signed certificates. The cross-signed certificates are not automatically trusted simply because they have been downloaded from the server specified by the crosscert setting; they are trusted only because they have been signed by the “iPXE root CA” certificate.

cfg/crosscert.txt · Last modified: 2015/03/24 19:11 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.