[ipxe-devel] Embedding certificates
Nicolas Sylvain
nsylvain at gmail.com
Mon Apr 13 23:59:08 UTC 2015
Here's a slightly simpler question:
How are the .der files on ca.ipxe.org/auto generated?
I don't seem to be able to look at them :
$ wget http://ca.ipxe.org/auto/5df65e6d.der
$ openssl x509 -inform der -in 5df65e6d.der -text
unable to load certificate
140302646982304:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1337:
140302646982304:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=X509
If I create my own cross-signed certificates using the commands in
ipxe.org/crypto and convert them to .der files using openssl, I get this
error :
https://SOMETHING.appspot.com/somepath...
TLS 0xe9fb4 using protocol version 3.3
TLS 0xe9fb4 selected rsa-aes_cbc-128-sha256
[...]
CERTSTORE added certificate *.appspot.com
X509 chain 0xe9cd4 added X509 0xed6f4 "*.appspot.com"
TLS 0xe9fb4 found certificate *.appspot.com
[...]
CERTSTORE added certificate Google Internet Authority G2
X509 chain 0xe9cd4 added X509 0xedc84 "Google Internet Authority G2"
TLS 0xe9fb4 found certificate Google Internet Authority G2
[...]
CERTSTORE added certificate GeoTrust Global CA
X509 chain 0xe9cd4 added X509 0xee134 "GeoTrust Global CA"
TLS 0xe9fb4 found certificate GeoTrust Global CA
.X509 chain 0xe9cd4 found no usable certificates
VALIDATOR 0xea264 downloading cross-signed certificate from
http://10.0.0.1/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTM
RAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHk=
HTTP 0xea6c4 response "HTTP/1.0 200 OK"
HTTP 0xea6c4 header "Server: SimpleHTTP/0.6 Python/2.7.6"
HTTP 0xea6c4 header "Date: Mon, 13 Apr 2015 23:52:37 GMT"
HTTP 0xea6c4 header "Content-type: application/octet-stream"
HTTP 0xea6c4 header "Content-Length: 769"
HTTP 0xea6c4 header "Last-Modified: Mon, 13 Apr 2015 23:51:41 GMT"
HTTP 0xea6c4 start of data
ASN1 0x17d560 type mismatch (expected 49, got 48)
VALIDATOR 0xea264 could not enter certificateSet: Error 0x3e00e03b (
http://ipxe.org/3e00e03b)
TLS 0xe9fb4 certificate validation failed: Error 0x3e00e03b (
http://ipxe.org/3e00e03b)
Error 0x3e00e03b (http://ipxe.org/3e00e03b)
Somehow it wanted a "set" and I sent a "sequence", but I'm afraid I don't
understand the difference yet.
Thank you,
Nicolas
On Thu, Apr 9, 2015 at 2:41 PM, Nicolas Sylvain <nsylvain at gmail.com> wrote:
> Hello,
>
> Since my firewall blocks pretty much everything, including ca.ipxe.org. I
> got around to making https connections with iPXE by mirroring ca.ipxe.org
> and using the crosscert command. Unfortunately, to make that work, I had
> to disable OCSP in the code.
>
> I'd like to unfork my code, and to do that, I believe I need to create my
> own CA and cross signed certificates.
>
> Right now I'm only accessing some resources hosted on Google servers.
> (appengine, google cloud storage). It seems like all those servers have
> certificates trusted by GeoTrust Global CA.
>
> Here's what I tried to do:
>
> 1. Follow the instructions on http://ipxe.org/crypto to create my own CA
>
> 2. Download the Geotrust Global CA certs from http://ca.ipxe.org/raw/
>
> 3. Cross sign those certs using the instructions on the page above.
>
> 4. Build iPXE using :
>
>
> make bin/ipxe.usb EMBED=startup.ipxe
> CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt
> TRUST=ca.crt
>
> Then during boot, on the first attempt at using https, I get this error :
> http://ipxe.org/err/0216eb
>
>
> I also tried to pass the geotrust certs as-in on both CERT and TRUST, but
> that did not work either.
>
> Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't
> understand much about certificates yet... but if you need more verbose
> logs, let me know and I can provide them.
>
> Thanks
>
> Nicolas
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20150413/98ed2422/attachment.htm>
More information about the ipxe-devel
mailing list