Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
crypto [2013/11/12 16:09]
mcb30
crypto [2014/03/28 19:00]
mcb30
Line 36: Line 36:
 {{ :​clipart:​warning.png?​90x75|Warning}} {{ :​clipart:​warning.png?​90x75|Warning}}
  
-The full root certificates are too large to be embedded into the iPXE binaryonly the SHA-256 fingerprints ​of the certificates can be included. ​ If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). ​ If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE as documented below.+The full root certificates are generally ​too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints ​will be included ​by default.  If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). 
 + 
 +If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#​embedded_certificates|embedding the full root certificate]] within the iPXE binary.
  
 {{ :​clipart:​books.png?​160x160|Some books}} {{ :​clipart:​books.png?​160x160|Some books}}
Line 87: Line 89:
     openssl ca -config ca.cnf -in server.req -out server.crt     openssl ca -config ca.cnf -in server.req -out server.crt
  
-This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:+This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can optionally ​create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:
  
     cat server.crt ca.crt > server-full.crt     cat server.crt ca.crt > server-full.crt
Line 123: Line 125:
  
 This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​. This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​.
 +
 +===== Embedded certificates =====
 +
 +You can embed one or more full certificates when you [[:​download|build]] iPXE using the ''​%%CERT=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=cert1.crt,​cert2.crt
 +
 +Embedded certificates are not automatically trusted; you will need to specify any [[#​trusted_root_certificates|trusted root certificates]] explicitly using the ''​%%TRUST=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=ca.crt TRUST=ca.crt
 +
 +{{ :​clipart:​warning.png?​90x75|Warning}}
 +
 +Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''​[[:​cfg:​crosscert]]''​ server).
  
 ===== Client certificates ===== ===== Client certificates =====
crypto.txt · Last modified: 2018/03/23 23:31 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.