[ipxe-devel] Validation of SSL certificates for HTTPS
Michael Brown
mbrown at fensystems.co.uk
Sun Mar 25 00:44:11 UTC 2012
On Thursday 22 Mar 2012 17:24:45 Michael Brown wrote:
> On Thursday 22 Mar 2012 16:44:54 Terry Burton wrote:
> > It's working perfectly well for my purposes using an embedded
> > self-signed certificate but I will report on success with CA-signed
> > (and cross-signed) certificates if we go that way.
>
> Great! Thanks for letting me know. :)
>
> In case you're interested, I'm currently working on code-signing. The code
> PKCS#7 functionality is tested and committed, but I want to rationalise
> some of the image-management commands before adding any more.
Code-signing is now available. For example:
# Require the use of trusted images
imgtrust --permanent
# Download a kernel over an untrusted connection
kernel http://${next-server}/boot/vmlinuz
# Verify the digital signature and boot the kernel
imgverify vmlinuz http://${next-server}/boot/vmlinuz.sig
boot vmlinuz
Suitable signatures can be created using openssl:
openssl cms -sign -binary -noattr -in vmlinuz \
-signer codesign.crt -inkey codesign.key -certfile ca.crt \
-outform DER -out vmlinuz.sig
I'd appreciate any test reports and general feedback.
Michael
More information about the ipxe-devel
mailing list