iPXE discussion forum

Full Version: iPXE bundling certificate chains for chainbooting HTTPS resources
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
FYI: I asked this question on StackOverflow: https://stackoverflow.com/questions/5898...-resources because I didn't get the activation email from this forum for an entire day.

According to https://ipxe.org/crypto, by default iPXE trusts its own root certificate located here https://ipxe.org/_media/certs/ca.crt. I tested it it, and I was able to chain boot `https://boot.netboot.xyz` using `chain --autofree https://boot.netboot.xyz`.

I wanted to see if I could use my own custom certificate chain and embed it into iPXE.

To test this, I tried 2 certificates bundles in PEM format. The first is from https://curl.haxx.se/docs/caextract.html. The second is from my OS (NixOS) `cacert` package here https://github.com/NixOS/nixpkgs/blob/ma...efault.nix

In both cases I had a file that was PEM format.

Then I compiled iPXE with the options `CERT=...,TRUST=...`.

Then I tried chain booting into `https://boot.netboot.xyz`. However in both cases, they did not work. It always resulted in http://ipxe.org/err/0216eb.

If I tried instead downloading iPXE's root certificate and explicitly embedding it with `CERT=...,TRUST=...`, the chaining into HTTPs works.

So my questions are:

1. is there a specific format that iPXE requires for its certificate bundles.
2. why do certificate bundles used by curl and other similar applications not work for iPXE
3. how did iPXE's root certificate get cross signed on all of mozilla's public certs?

> This root certificate is used to cross-sign the standard Mozilla list of public CA certificates.
>
> https://ipxe.org/crypto

How did this happen? I would like to reproduce such an activity with my own private CA certificate using `openssl`.
I think there should be a similar question and answer on the mailinglist

mozillas certificates are downloaded, bundled, and signed on ipxe once a month as i remember it.
So disabling OCSP is the solution?

But I'm not actually using my own custom certificate. I'm using the cacert provided to Linux distros, or even curls' certificate distribution. My question, is why these don't work automatically for HTTPs connections.

Do you have a link to the mailing list answer somewhere? I'd like to see how they do that step by step, and compare it to the curl certificate generation process.
(2019-11-23 15:26)NiKiZe Wrote: [ -> ]I think there should be a similar question and answer on the mailinglist

mozillas certificates are downloaded, bundled, and signed on ipxe once a month as i remember it.

Ping, do you have a link to where the certs are generated?
Reference URL's