[ipxe-devel] HTTPS with own CA certificate
Sven Dreyer
sven at dreyer-net.de
Fri Mar 8 12:00:45 UTC 2013
Thank you very much for your help, Michael.
> - provide the CA root certificate as part of the certificate chain
> published by the web server. (Other TLS clients do not require this
This one works like a charm with Apache 2.2.
Hint for others trying this way: you cannot just append the CA
certificate to your server certfificate file (like it is possible with a
lot of other software), because Apache 2.2 only seems to only see the
first certificate in this file.
Instead, you have to set "SSLCertificateChainFile" to your CA
certificate (chain).
> - use the "crosscert" setting (http://ipxe.org/cfg/crosscert) to
> provide iPXE with a location from which to download your CA root
> certificate.
Thanks for the hint, I also got this working. I have to specify
set crosscert http://myserver.org/ca
and when I type
chain https://myserver.org/ipxe/menu.ipxe
iPXE searches the root CA certificate under this URL:
http://myserver.org/ca/1001f0cc.der
Okay, some kind of hash, I think. So I symlinked my "root.crt" to
"1001f0cc.der" and it worked.
But where comes the hash from? OpenSSL's hashs algorithms produce
different results:
$ openssl x509 -subject_hash -in root.crt -noout
448d51cf
$ openssl x509 -subject_hash_old -in root.crt -noout
a7d99ed0
As just said it works, I'm just curious. :-)
Thanks again and best regards,
Sven
More information about the ipxe-devel
mailing list