[ipxe-devel] HTTPS with own CA certificate

Michael Brown mbrown at fensystems.co.uk
Thu Mar 7 17:04:28 UTC 2013

On Thursday 07 Mar 2013 15:38:19 Sven Dreyer wrote:
> Wireshark reveals that the TLS connection is established, but after
> "SSL Client Hello" and "TLSv1 Server Hello, Certificate, Server Hello
> Done", iPXE seems to send a HTTP GET to
> http://ca.ipxe.org/auto/<hex>.der/<ServerCertIssuerAsBase64>
> which produces a 404 error. So this might be the reason for "no such
> file or directory".

This is what happens when the certificate chain as provided by the server is 
incomplete (i.e. the chain does not contain all certificates up to _and 
including_ the CA root certificate).  iPXE attempts to complete the chain by 
downloading the remainder from http://ca.ipxe.org/.

Since you are using a private root CA, this obviously won't work.  You have 
two options:

- provide the CA root certificate as part of the certificate chain published by 
the web server.  (Other TLS clients do not require this since they store the 
CA root certificate locally; iPXE stores only the CA root certificate fingerprint 
since the certificate itself is generally too large.)

- use the "crosscert" setting (http://ipxe.org/cfg/crosscert) to provide iPXE 
with a location from which to download your CA root certificate.


More information about the ipxe-devel mailing list