[ipxe-devel] HTTPS with own CA certificate

Sven Dreyer sven at dreyer-net.de
Fri Mar 8 12:00:45 UTC 2013


Thank you very much for your help, Michael.

> - provide the CA root certificate as part of the certificate chain
> published by the web server.  (Other TLS clients do not require this

This one works like a charm with Apache 2.2.

Hint for others trying this way: you cannot just append the CA 
certificate to your server certfificate file (like it is possible with a 
lot of other software), because Apache 2.2 only seems to only see the 
first certificate in this file.

Instead, you have to set "SSLCertificateChainFile" to your CA 
certificate (chain).

> - use the "crosscert" setting (http://ipxe.org/cfg/crosscert) to
> provide iPXE with a location from which to download your CA root
> certificate.

Thanks for the hint, I also got this working. I have to specify

set crosscert http://myserver.org/ca

and when I type

chain https://myserver.org/ipxe/menu.ipxe

iPXE searches the root CA certificate under this URL:

http://myserver.org/ca/1001f0cc.der

Okay, some kind of hash, I think. So I symlinked my "root.crt" to 
"1001f0cc.der" and it worked.

But where comes the hash from? OpenSSL's hashs algorithms produce 
different results:

$ openssl x509 -subject_hash -in root.crt -noout
448d51cf
$ openssl x509 -subject_hash_old -in root.crt -noout
a7d99ed0

As just said it works, I'm just curious. :-)

Thanks again and best regards,
Sven




More information about the ipxe-devel mailing list