[ipxe-devel] Validation of SSL certificates for HTTPS

Michael Brown mbrown at fensystems.co.uk
Thu Mar 22 17:24:45 UTC 2012


On Thursday 22 Mar 2012 16:44:54 Terry Burton wrote:
> > iPXE embeds only the SHA-256 fingerprints of the trusted root
> > certificates, not the whole certificate.  A consequence of this is that
> > the server must currently provide the full certificate chain, including
> > the root certificate and any cross-signing certificates.  This
> > limitation will eventually be lifted, by enabling iPXE to automatically
> > download the relevant cross-signing certificates when needed.
> 
> Thanks for this!
> 
> It's working perfectly well for my purposes using an embedded
> self-signed certificate but I will report on success with CA-signed
> (and cross-signed) certificates if we go that way.

Great!  Thanks for letting me know.  :)

In case you're interested, I'm currently working on code-signing.  The code 
PKCS#7 functionality is tested and committed, but I want to rationalise some 
of the image-management commands before adding any more.

Michael



More information about the ipxe-devel mailing list