iPXE bundling certificate chains for chainbooting HTTPS resources

[CMCDragonkai]

FYI: I asked this question on StackOverflow: https://stackoverflow.com/questions/5898...-resources because I didn't get the activation email from this forum for an entire day.

According to https://ipxe.org/crypto, by default iPXE trusts its own root certificate located here https://ipxe.org/_media/certs/ca.crt. I tested it it, and I was able to chain boot `https://boot.netboot.xyz` using `chain --autofree https://boot.netboot.xyz`.

I wanted to see if I could use my own custom certificate chain and embed it into iPXE.

To test this, I tried 2 certificates bundles in PEM format. The first is from https://curl.haxx.se/docs/caextract.html. The second is from my OS (NixOS) `cacert` package here https://github.com/NixOS/nixpkgs/blob/ma...efault.nix

In both cases I had a file that was PEM format.

Then I compiled iPXE with the options `CERT=...,TRUST=...`.

Then I tried chain booting into `https://boot.netboot.xyz`. However in both cases, they did not work. It always resulted in http://ipxe.org/err/0216eb.

If I tried instead downloading iPXE's root certificate and explicitly embedding it with `CERT=...,TRUST=...`, the chaining into HTTPs works.

So my questions are:

1. is there a specific format that iPXE requires for its certificate bundles.
2. why do certificate bundles used by curl and other similar applications not work for iPXE
3. how did iPXE's root certificate get cross signed on all of mozilla's public certs?

> This root certificate is used to cross-sign the standard Mozilla list of public CA certificates.
>
> https://ipxe.org/crypto

How did this happen? I would like to reproduce such an activity with my own private CA certificate using `openssl`.