[ipxe-devel] SSL/TLS support in iPXE

Michael Brown mbrown at fensystems.co.uk
Wed May 9 14:23:11 UTC 2012

On Wednesday 09 May 2012 15:08:46 Mark Gollahon wrote:
> > As of a few minutes ago, SSL/TLS support in iPXE should be working for
> > all valid HTTPS addresses.  You can now use an unmodified web server
> > with a certificate issued by any public CA (Verisign, Equifax, etc.).
> >  Any certificate trusted by Firefox should now be trusted by iPXE.
> I admit that I am a noob on this, but how will iPXE handle another
> DigiNotar?  Will fresh iPXE source have to be compiled and
> re-deployed?

No; a compromised CA such as DigiNotar would not require a new iPXE binary.

Only one certificate is compiled in to iPXE, which is the "iPXE root CA" 
certificate.  Only a compromise of _this_ certificate (or whichever alternative 
root certificate you build in using TRUST=...) would require a rebuild and 

If a public CA certificate is compromised (as with DigiNotar), then this CA 
certificate will be removed from the set of cross-signed certificates hosted on 
http://ca.ipxe.org/.  Existing iPXE builds would no longer be able to obtain a 
valid cross-signing certificate, and so would no longer trust the compromised 

(At present, there is a 90-day window during which an attacker could use a 
previously-issued cross-signing certificate to cause iPXE to trust the 
compromised CA.  This window will be reduced to a few hours once OCSP has been 


More information about the ipxe-devel mailing list