This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
crypto [2012/08/01 11:35] mcb30 |
crypto [2013/11/12 16:09] mcb30 |
||
---|---|---|---|
Line 33: | Line 33: | ||
Certificates must be in PEM format. | Certificates must be in PEM format. | ||
+ | |||
+ | {{ :clipart:warning.png?90x75|Warning}} | ||
+ | |||
+ | The full root certificates are too large to be embedded into the iPXE binary; only the SHA-256 fingerprints of the certificates can be included. If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting). If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE as documented below. | ||
{{ :clipart:books.png?160x160|Some books}} | {{ :clipart:books.png?160x160|Some books}} | ||
Line 83: | Line 87: | ||
openssl ca -config ca.cnf -in server.req -out server.crt | openssl ca -config ca.cnf -in server.req -out server.crt | ||
- | This will create a server certificate ''server.crt'' which is signed by your private root certificate. | + | This will create a server certificate ''server.crt'' which is signed by your private root certificate. You can create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using: |
+ | |||
+ | cat server.crt ca.crt > server-full.crt | ||
===== Cross-signing certificates ===== | ===== Cross-signing certificates ===== |