[ipxe-devel] Embedding certificates

Nicolas Sylvain nsylvain at gmail.com
Thu Apr 9 21:41:23 UTC 2015


Hello,

Since my firewall blocks pretty much everything, including ca.ipxe.org. I
got around to making https connections with iPXE by mirroring ca.ipxe.org
and using the crosscert command.  Unfortunately, to make that work, I had
to disable OCSP in the code.

I'd like to unfork my code, and to do that, I believe I need to create my
own CA and cross signed certificates.

Right now I'm only accessing some resources hosted on Google servers.
(appengine, google cloud storage). It seems like all those servers have
certificates trusted by GeoTrust Global CA.

Here's what I tried to do:

1. Follow the instructions on http://ipxe.org/crypto to create my own CA

2. Download the Geotrust Global CA certs from http://ca.ipxe.org/raw/

3. Cross sign those certs using the instructions on the page above.

4. Build iPXE using :


 make bin/ipxe.usb EMBED=startup.ipxe
CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt
TRUST=ca.crt

Then during boot, on the first attempt at using https, I get this error :
http://ipxe.org/err/0216eb


I also tried to pass the geotrust certs as-in on both CERT and TRUST, but
that did not work either.

Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't
understand much about certificates yet...  but if you need more verbose
logs, let me know and I can provide them.

Thanks

Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20150409/78fbf588/attachment.htm>


More information about the ipxe-devel mailing list