Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
crypto [2013/11/12 16:09]
mcb30
crypto [2018/03/23 23:31]
mcb30
Line 10: Line 10:
 ^ Public-key algorithms ​   | RSA                        | ^ Public-key algorithms ​   | RSA                        |
 ^ Block cipher algorithms ​ | AES-128-CBC AES-256-CBC ​   | ^ Block cipher algorithms ​ | AES-128-CBC AES-256-CBC ​   |
-^ Hash algorithms ​         | MD5 SHA-1 SHA-256 ​         |+^ Hash algorithms ​         | MD5 SHA-1 SHA-224 ​SHA-256 ​SHA-384 SHA-512 SHA-512/224 SHA-512/​256  ​|
  
 The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256,​ RSA_WITH_AES_128_CBC_SHA256,​ RSA_WITH_AES_256_CBC_SHA,​ and RSA_WITH_AES_128_CBC_SHA. The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256,​ RSA_WITH_AES_128_CBC_SHA256,​ RSA_WITH_AES_256_CBC_SHA,​ and RSA_WITH_AES_128_CBC_SHA.
Line 16: Line 16:
 ===== Trusted root certificates ===== ===== Trusted root certificates =====
  
-In the default configuration,​ iPXE trusts only a single root certificate:​ the {{:​certs:​ca.crt|"​iPXE root CA" certificate}}.+In the default configuration,​ iPXE trusts only a single root certificate:​ the {{:​certs:​ca.crt|"​iPXE root CA" certificate}}.  This root certificate is used to cross-sign the standard [[http://​mxr.mozilla.org/​comm-central/​source/​mozilla/​security/​nss/​lib/​ckfw/​builtins/​certdata.txt|Mozilla list of public CA certificates]]. 
 + 
 +In the default configuration,​ iPXE will therefore automatically trust the same set of certificates as the [[https://​www.mozilla.org/​firefox/​|Firefox]] web browser.
  
 If you want more control over the chain of trust, then you can generate your own private root certificate ''​ca.crt''​ using: If you want more control over the chain of trust, then you can generate your own private root certificate ''​ca.crt''​ using:
Line 36: Line 38:
 {{ :​clipart:​warning.png?​90x75|Warning}} {{ :​clipart:​warning.png?​90x75|Warning}}
  
-The full root certificates are too large to be embedded into the iPXE binaryonly the SHA-256 fingerprints ​of the certificates can be included. ​ If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). ​ If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE as documented below.+The full root certificates are generally ​too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints ​will be included ​by default.  If you are using the default {{:​certs:​ca.crt|"​iPXE root CA" certificate}},​ then iPXE will automatically download the full root certificate as needed from [[http://​ca.ipxe.org/​ca.crt]] (or from a mirror specified using the ''​[[:​cfg:​crosscert]]''​ setting). 
 + 
 +If you are using a private root certificate,​ then you must make this certificate available to iPXE either by setting up your own ''​[[:​cfg:​crosscert]]''​ server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#​embedded_certificates|embedding the full root certificate]] within the iPXE binary.
  
 {{ :​clipart:​books.png?​160x160|Some books}} {{ :​clipart:​books.png?​160x160|Some books}}
Line 87: Line 91:
     openssl ca -config ca.cnf -in server.req -out server.crt     openssl ca -config ca.cnf -in server.req -out server.crt
  
-This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:+This will create a server certificate ''​server.crt''​ which is signed by your private root certificate. ​ You can optionally ​create a full certificate chain including both ''​server.crt''​ and your private root certificiate ''​ca.crt''​ using:
  
     cat server.crt ca.crt > server-full.crt     cat server.crt ca.crt > server-full.crt
Line 123: Line 127:
  
 This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​. This embedded script would refuse to boot unless the downloaded version of ''​vmlinuz''​ could be successfully verified using the signature file ''​vmlinuz.sig''​.
 +
 +===== Embedded certificates =====
 +
 +You can embed one or more full certificates when you [[:​download|build]] iPXE using the ''​%%CERT=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=cert1.crt,​cert2.crt
 +
 +Embedded certificates are not automatically trusted; you will need to specify any [[#​trusted_root_certificates|trusted root certificates]] explicitly using the ''​%%TRUST=...%%''​ build parameter. ​ For example:
 +
 +  make bin/​ipxe.iso CERT=ca.crt TRUST=ca.crt
 +
 +{{ :​clipart:​warning.png?​90x75|Warning}}
 +
 +Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''​[[:​cfg:​crosscert]]''​ server).
  
 ===== Client certificates ===== ===== Client certificates =====
crypto.txt · Last modified: 2018/03/23 23:31 by mcb30
Recent changes RSS feed CC Attribution-Share Alike 4.0 International Driven by DokuWiki
All uses of this content must include an attribution to the iPXE project and the URL http://ipxe.org
References to "iPXE" may not be altered or removed.