This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
crypto [2013/11/12 16:06] mcb30 |
crypto [2018/03/23 23:31] mcb30 |
||
---|---|---|---|
Line 10: | Line 10: | ||
^ Public-key algorithms | RSA | | ^ Public-key algorithms | RSA | | ||
^ Block cipher algorithms | AES-128-CBC AES-256-CBC | | ^ Block cipher algorithms | AES-128-CBC AES-256-CBC | | ||
- | ^ Hash algorithms | MD5 SHA-1 SHA-256 | | + | ^ Hash algorithms | MD5 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 | |
The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA. | The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA. | ||
Line 16: | Line 16: | ||
===== Trusted root certificates ===== | ===== Trusted root certificates ===== | ||
- | In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}. | + | In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}. This root certificate is used to cross-sign the standard [[http://mxr.mozilla.org/comm-central/source/mozilla/security/nss/lib/ckfw/builtins/certdata.txt|Mozilla list of public CA certificates]]. |
+ | |||
+ | In the default configuration, iPXE will therefore automatically trust the same set of certificates as the [[https://www.mozilla.org/firefox/|Firefox]] web browser. | ||
If you want more control over the chain of trust, then you can generate your own private root certificate ''ca.crt'' using: | If you want more control over the chain of trust, then you can generate your own private root certificate ''ca.crt'' using: | ||
Line 36: | Line 38: | ||
{{ :clipart:warning.png?90x75|Warning}} | {{ :clipart:warning.png?90x75|Warning}} | ||
- | The full root certificates are too large to be embedded into the iPXE binary; only the SHA-256 fingerprints of the certificates can be included. If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting). If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE as documented below. | + | The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default. If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting). |
+ | |||
+ | If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#embedded_certificates|embedding the full root certificate]] within the iPXE binary. | ||
{{ :clipart:books.png?160x160|Some books}} | {{ :clipart:books.png?160x160|Some books}} | ||
Line 87: | Line 91: | ||
openssl ca -config ca.cnf -in server.req -out server.crt | openssl ca -config ca.cnf -in server.req -out server.crt | ||
- | This will create a server certificate ''server.crt'' which is signed by your private root certificate. | + | This will create a server certificate ''server.crt'' which is signed by your private root certificate. You can optionally create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using: |
+ | |||
+ | cat server.crt ca.crt > server-full.crt | ||
===== Cross-signing certificates ===== | ===== Cross-signing certificates ===== | ||
Line 121: | Line 127: | ||
This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''. | This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''. | ||
+ | |||
+ | ===== Embedded certificates ===== | ||
+ | |||
+ | You can embed one or more full certificates when you [[:download|build]] iPXE using the ''%%CERT=...%%'' build parameter. For example: | ||
+ | |||
+ | make bin/ipxe.iso CERT=cert1.crt,cert2.crt | ||
+ | |||
+ | Embedded certificates are not automatically trusted; you will need to specify any [[#trusted_root_certificates|trusted root certificates]] explicitly using the ''%%TRUST=...%%'' build parameter. For example: | ||
+ | |||
+ | make bin/ipxe.iso CERT=ca.crt TRUST=ca.crt | ||
+ | |||
+ | {{ :clipart:warning.png?90x75|Warning}} | ||
+ | |||
+ | Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''[[:cfg:crosscert]]'' server). | ||
===== Client certificates ===== | ===== Client certificates ===== |