Post Reply 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors?
2016-09-07, 20:30
Post: #1
Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors?
Are any certs still being served from signed by the cross-signing cert that expired in Feb 2016?

I see that is up to date. However, when running an https download from google cloud storage, ipxe reports that "iPXE cross-signing CA" has expired.

Adding a new debug log line to crypto/x509.c I see that iPXE is using a cross-signing certificate that is valid "not after" 1456479729 (2016-02-26T09:42:09).

See a screen shot here: (I could not upload an attachment for this post)

These are the two HTTP get requests from iPXE for the cross-signed certs (I believe).


And, I see that some *.der files have older timestamps than 31-Aug-2016: -- one in particular: 5df65e6d.der has an mtime of 01-Nov-2014.

Unfortunately, I'm not able to inspect these .der files; openssl reports:

$ openssl x509 -inform der -in ~/Downloads/5df65e6d.der -out certificate.pem
unable to load certificate
140437768582816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:
140437768582816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=X509

Is this an issue with out-of-date certs? Will it be fixed?

Is there a repository or location for the scripts used to generate the auto/*.der files for self-hosting cross-signed certificate files?

Commands used to build and test.
$ make EMBED=embed.ipxe bin/ipxe.iso  DEBUG=x509,validator
$ cat embed.ipxe
set crosscert
Find all posts by this user
Quote this message in a reply
Post Reply 

User(s) browsing this thread: 1 Guest(s)