[ipxe-devel] HTTPS with own CA certificate
Michael Brown
mbrown at fensystems.co.uk
Fri Mar 8 12:20:41 UTC 2013
On 08/03/13 12:00, Sven Dreyer wrote:
> Thanks for the hint, I also got this working. I have to specify
>
> set crosscert http://myserver.org/ca
>
> and when I type
>
> chain https://myserver.org/ipxe/menu.ipxe
>
> iPXE searches the root CA certificate under this URL:
>
> http://myserver.org/ca/1001f0cc.der
>
> Okay, some kind of hash, I think. So I symlinked my "root.crt" to
> "1001f0cc.der" and it worked.
>
> But where comes the hash from?
It's actually the CRC32 of the raw bytes comprising the X.509 subject
(extracted from the issuer of the last certificate in the chain). We do
this because it's easy to calculate within iPXE without adding extra code.
The "?subject=..." parameter is added for server-side debugging; if you
see requests for an unknown CRC32, then the extra parameter gives you
some way to find out what the client was looking for.
You can calculate the CRC32 in Perl using Digest::CRC::crc32(), though
extracting the subject raw bytes is non-trivial since there is no CPAN
module which does it neatly.
Michael
More information about the ipxe-devel
mailing list