Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
crypto [2013/11/12 16:09]
mcb30
crypto [2015/09/10 15:21]
mcb30
Line 10: Line 10:
 ^ Public-key algorithms ​   | RSA                        | ^ Public-key algorithms ​   | RSA                        |
 ^ Block cipher algorithms ​ | AES-128-CBC AES-256-CBC ​   | ^ Block cipher algorithms ​ | AES-128-CBC AES-256-CBC ​   |
-^ Hash algorithms ​         | MD5 SHA-1 SHA-256 ​         |+^ Hash algorithms ​         | MD5 SHA-1 SHA-224 ​SHA-256 ​SHA-384 SHA-512 SHA-512/224 SHA-512/​256  ​|
  
 The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256,​ RSA_WITH_AES_128_CBC_SHA256,​ RSA_WITH_AES_256_CBC_SHA,​ and RSA_WITH_AES_128_CBC_SHA. The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256,​ RSA_WITH_AES_128_CBC_SHA256,​ RSA_WITH_AES_256_CBC_SHA,​ and RSA_WITH_AES_128_CBC_SHA.
Line 36: Line 36:
 {{ :​clipart:​warning.png?​90x75|Warning}} {{ :​clipart:​warning.png?​90x75|Warning}}
  
-The full root certificates are too large to be embedded into the iPXE binaryonly the SHA-256 fingerprints ​of the certificates can be included. ​ If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). ​ If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE as documented below.+The full root certificates are generally ​too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints ​will be included ​by default.  If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). 
 + 
 +If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#​embedded_certificates|embedding the full root certificate]] within the iPXE binary.
  
 {{ :​clipart:​books.png?​160x160|Some books}} {{ :​clipart:​books.png?​160x160|Some books}}
Line 87: Line 89:
     openssl ca -config ca.cnf -in server.req -out server.crt     openssl ca -config ca.cnf -in server.req -out server.crt
  
-This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:+This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can optionally ​create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:
  
     cat server.crt ca.crt > server-full.crt     cat server.crt ca.crt > server-full.crt
Line 123: Line 125:
  
 This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​. This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​.
 +
 +===== Embedded certificates =====
 +
 +You can embed one or more full certificates when you [[:​download|build]] iPXE using the ''​%%CERT=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=cert1.crt,​cert2.crt
 +
 +Embedded certificates are not automatically trusted; you will need to specify any [[#​trusted_root_certificates|trusted root certificates]] explicitly using the ''​%%TRUST=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=ca.crt TRUST=ca.crt
 +
 +{{ :​clipart:​warning.png?​90x75|Warning}}
 +
 +Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''​[[:​cfg:​crosscert]]''​ server).
  
 ===== Client certificates ===== ===== Client certificates =====
crypto.txt · Last modified: 2018/03/23 23:31 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.