Cross-signed certificate source




Type String
DHCP option number 175.93
ISC dhcpd syntax option ipxe.crosscert


Set the cross-signed certificate source manually

  iPXE> set crosscert

Configure the cross-signed certificate source in ISC dhcpd

  # in /etc/dhcpd.conf
  option space ipxe;
  option ipxe-encap-opts code 175 = encapsulate ipxe;
  option ipxe.crosscert code 93 = string;
  option ipxe.crosscert "";


Specifies the source URI for cross-signed CA certificates.

If no URI is explicitly specified, then the default URI will be used.

See also


By default, iPXE contains only a single trusted root certificate (the “iPXE root CA” certificate). In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the “iPXE root CA” certificate. These cross-signed certificates are downloaded automatically when needed.

The current policy of is to provide cross-signed certificates for almost all CAs that are trusted by the Firefox web browser. Certificates remain valid for 90 days. Cross-signed certificates are not provided for the following CAs:

  • China Internet Network Information Centre (CNNIC)1)

If you are booting using HTTPS on a private network with no access to then you may wish to create a local mirror, and use the crosscert setting to direct your clients to download the cross-signed certificates from your local mirror. For example:

  option ipxe.crosscert "";

If you are using a local mirror, then you will also need to provide an OCSP proxy service.

There is no need to use HTTPS to download the cross-signed certificates. The cross-signed certificates are not automatically trusted simply because they have been downloaded from the server specified by the crosscert setting; they are trusted only because they have been signed by the “iPXE root CA” certificate.

cfg/crosscert.txt · Last modified: 2015/03/24 19:11 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL
References to "iPXE" may not be altered or removed.