[ipxe-devel] HTTPS with own CA certificate

Michael Brown mbrown at fensystems.co.uk
Fri Mar 8 12:20:41 UTC 2013

On 08/03/13 12:00, Sven Dreyer wrote:
> Thanks for the hint, I also got this working. I have to specify
> set crosscert http://myserver.org/ca
> and when I type
> chain https://myserver.org/ipxe/menu.ipxe
> iPXE searches the root CA certificate under this URL:
> http://myserver.org/ca/1001f0cc.der
> Okay, some kind of hash, I think. So I symlinked my "root.crt" to
> "1001f0cc.der" and it worked.
> But where comes the hash from?

It's actually the CRC32 of the raw bytes comprising the X.509 subject 
(extracted from the issuer of the last certificate in the chain).  We do 
this because it's easy to calculate within iPXE without adding extra code.

The "?subject=..." parameter is added for server-side debugging; if you 
see requests for an unknown CRC32, then the extra parameter gives you 
some way to find out what the client was looking for.

You can calculate the CRC32 in Perl using Digest::CRC::crc32(), though 
extracting the subject raw bytes is non-trivial since there is no CPAN 
module which does it neatly.


More information about the ipxe-devel mailing list