Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors?

[soltesz]

Are any certs still being served from http://ca.ipxe.org/auto signed by the cross-signing cert that expired in Feb 2016?

I see that http://ca.ipxe.org/cross-ca.crt is up to date. However, when running an https download from google cloud storage, ipxe reports that "iPXE cross-signing CA" has expired.

Adding a new debug log line to crypto/x509.c I see that iPXE is using a cross-signing certificate that is valid "not after" 1456479729 (2016-02-26T09:42:09).

See a screen shot here: https://storage.googleapis.com/dash-test...-error.png (I could not upload an attachment for this post)

These are the two HTTP get requests from iPXE for the cross-signed certs (I believe).

Code:

GET /auto/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyR​FcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHk= HTTP/1.1

GET /ocsp/root/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBSdIkBuCekXxHtcIxfjfzqJURDvHwQUq0EwXAuzDHEHMTwzdkSY​HFHUKnICASk= HTTP/1.1

And, I see that some *.der files have older timestamps than 31-Aug-2016:
http://ca.ipxe.org/auto/ -- one in particular: 5df65e6d.der has an mtime of 01-Nov-2014.

Unfortunately, I'm not able to inspect these .der files; openssl reports:

Code:

$ openssl x509 -inform der -in ~/Downloads/5df65e6d.der -out certificate.pem
unable to load certificate
140437768582816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:
140437768582816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=X509

Is this an issue with out-of-date certs? Will it be fixed?

Is there a repository or location for the scripts used to generate the auto/*.der files for self-hosting cross-signed certificate files?

Commands used to build and test.

Code:

$ make EMBED=embed.ipxe bin/ipxe.iso  DEBUG=x509,validator
$ cat embed.ipxe
dhcp
set crosscert http://ca.ipxe.org/auto
kernel https://storage.googleapis.com/dash-test-1/tinycore/vmlinuz