Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
crypto [2013/11/12 16:09] mcb30 |
crypto [2014/03/28 19:00] mcb30 |
||
|---|---|---|---|
| Line 36: | Line 36: | ||
| {{ :clipart:warning.png?90x75|Warning}} | {{ :clipart:warning.png?90x75|Warning}} | ||
| - | The full root certificates are too large to be embedded into the iPXE binary; only the SHA-256 fingerprints of the certificates can be included. If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting). If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE as documented below. | + | The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default. If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting). |
| + | |||
| + | If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#embedded_certificates|embedding the full root certificate]] within the iPXE binary. | ||
| {{ :clipart:books.png?160x160|Some books}} | {{ :clipart:books.png?160x160|Some books}} | ||
| Line 87: | Line 89: | ||
| openssl ca -config ca.cnf -in server.req -out server.crt | openssl ca -config ca.cnf -in server.req -out server.crt | ||
| - | This will create a server certificate ''server.crt'' which is signed by your private root certificate. You can create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using: | + | This will create a server certificate ''server.crt'' which is signed by your private root certificate. You can optionally create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using: |
| cat server.crt ca.crt > server-full.crt | cat server.crt ca.crt > server-full.crt | ||
| Line 123: | Line 125: | ||
| This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''. | This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''. | ||
| + | |||
| + | ===== Embedded certificates ===== | ||
| + | |||
| + | You can embed one or more full certificates when you [[:download|build]] iPXE using the ''%%CERT=...%%'' build parameter. For example: | ||
| + | |||
| + | make bin/ipxe.iso CERT=cert1.crt,cert2.crt | ||
| + | |||
| + | Embedded certificates are not automatically trusted; you will need to specify any [[#trusted_root_certificates|trusted root certificates]] explicitly using the ''%%TRUST=...%%'' build parameter. For example: | ||
| + | |||
| + | make bin/ipxe.iso CERT=ca.crt TRUST=ca.crt | ||
| + | |||
| + | {{ :clipart:warning.png?90x75|Warning}} | ||
| + | |||
| + | Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''[[:cfg:crosscert]]'' server). | ||
| ===== Client certificates ===== | ===== Client certificates ===== | ||
