<div dir="ltr">Here's a slightly simpler question:<div><br></div><div>How are the .der files on <a href="http://ca.ipxe.org/auto">ca.ipxe.org/auto</a> generated?</div><div><br></div><div>I don't seem to be able to look at them :</div><div><br></div><div>$ wget <a href="http://ca.ipxe.org/auto/5df65e6d.der">http://ca.ipxe.org/auto/5df65e6d.der</a><br></div><div><div>$ openssl x509 -inform der -in 5df65e6d.der -text</div><div>unable to load certificate</div><div>140302646982304:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337:</div><div>140302646982304:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=X509</div></div><div><br></div><div><br></div><div>If I create my own cross-signed certificates using the commands in <a href="http://ipxe.org/crypto">ipxe.org/crypto</a> and convert them to .der files using openssl, I get this error :</div><div><br></div><div><br><br></div><div><div><a href="https://SOMETHING.appspot.com/somepath.">https://SOMETHING.appspot.com/somepath.</a>..</div><div>TLS 0xe9fb4 using protocol version 3.3</div><div>TLS 0xe9fb4 selected rsa-aes_cbc-128-sha256</div><div>[...]</div><div>CERTSTORE added certificate *.<a href="http://appspot.com">appspot.com</a><br></div><div>X509 chain 0xe9cd4 added X509 0xed6f4 "*.<a href="http://appspot.com">appspot.com</a>"</div><div>TLS 0xe9fb4 found certificate *.<a href="http://appspot.com">appspot.com</a></div><div>[...]</div><div>CERTSTORE added certificate Google Internet Authority G2<br></div><div>X509 chain 0xe9cd4 added X509 0xedc84 "Google Internet Authority G2"</div><div>TLS 0xe9fb4 found certificate Google Internet Authority G2</div><div>[...]</div><div>CERTSTORE added certificate GeoTrust Global CA<br></div><div>X509 chain 0xe9cd4 added X509 0xee134 "GeoTrust Global CA"</div><div>TLS 0xe9fb4 found certificate GeoTrust Global CA</div><div>.X509 chain 0xe9cd4 found no usable certificates</div><div>VALIDATOR 0xea264 downloading cross-signed certificate from <a href="http://10.0.0.1/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTM">http://10.0.0.1/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTM</a></div><div>RAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHk=</div><div>HTTP 0xea6c4 response "HTTP/1.0 200 OK"</div><div>HTTP 0xea6c4 header "Server: SimpleHTTP/0.6 Python/2.7.6"</div><div>HTTP 0xea6c4 header "Date: Mon, 13 Apr 2015 23:52:37 GMT"</div><div>HTTP 0xea6c4 header "Content-type: application/octet-stream"</div><div>HTTP 0xea6c4 header "Content-Length: 769"</div><div>HTTP 0xea6c4 header "Last-Modified: Mon, 13 Apr 2015 23:51:41 GMT"</div><div>HTTP 0xea6c4 start of data</div><div>ASN1 0x17d560 type mismatch (expected 49, got 48)</div><div>VALIDATOR 0xea264 could not enter certificateSet: Error 0x3e00e03b (<a href="http://ipxe.org/3e00e03b">http://ipxe.org/3e00e03b</a>)</div><div>TLS 0xe9fb4 certificate validation failed: Error 0x3e00e03b (<a href="http://ipxe.org/3e00e03b">http://ipxe.org/3e00e03b</a>)</div><div>Error 0x3e00e03b (<a href="http://ipxe.org/3e00e03b">http://ipxe.org/3e00e03b</a>)</div></div><div><br></div><div>Somehow it wanted a "set" and I sent a "sequence", but I'm afraid I don't understand the difference yet.<br></div><div><br></div><div>Thank you,</div><div><br></div><div>Nicolas</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 9, 2015 at 2:41 PM, Nicolas Sylvain <span dir="ltr"><<a href="mailto:nsylvain@gmail.com" target="_blank">nsylvain@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>Since my firewall blocks pretty much everything, including <a href="http://ca.ipxe.org" target="_blank">ca.ipxe.org</a>. I got around to making https connections with iPXE by mirroring <a href="http://ca.ipxe.org" target="_blank">ca.ipxe.org</a> and using the crosscert command. Unfortunately, to make that work, I had to disable OCSP in the code. <br></div><div><br></div><div>I'd like to unfork my code, and to do that, I believe I need to create my own CA and cross signed certificates.</div><div><br></div><div>Right now I'm only accessing some resources hosted on Google servers. (appengine, google cloud storage). It seems like all those servers have certificates trusted by GeoTrust Global CA.</div><div><br></div><div>Here's what I tried to do:</div><div><br></div><div>1. Follow the instructions on <a href="http://ipxe.org/crypto" target="_blank">http://ipxe.org/crypto</a> to create my own CA</div><div><br></div><div>2. Download the Geotrust Global CA certs from <a href="http://ca.ipxe.org/raw/" target="_blank">http://ca.ipxe.org/raw/</a></div><div><br></div><div>3. Cross sign those certs using the instructions on the page above.</div><div><br></div><div>4. Build iPXE using :</div><div><br></div><div><br></div><div><div> make bin/ipxe.usb EMBED=startup.ipxe CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt TRUST=ca.crt</div></div><div><br></div><div>Then during boot, on the first attempt at using https, I get this error : <a href="http://ipxe.org/err/0216eb" target="_blank">http://ipxe.org/err/0216eb</a></div><div><br></div><div><br></div><div>I also tried to pass the geotrust certs as-in on both CERT and TRUST, but that did not work either.</div><div><br></div><div>Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't understand much about certificates yet... but if you need more verbose logs, let me know and I can provide them.</div><div><br></div><div>Thanks</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Nicolas</div><div><br></div><div><br></div><div><br></div><div><br></div></font></span></div>
</blockquote></div><br></div>