On 08/03/13 12:00, Sven Dreyer wrote:
Thanks for the hint, I also got this working. I have to specify
set crosscert http://myserver.org/ca
and when I type
chain https://myserver.org/ipxe/menu.ipxe
iPXE searches the root CA certificate under this URL:
http://myserver.org/ca/1001f0cc.der
Okay, some kind of hash, I think. So I symlinked my "root.crt" to
"1001f0cc.der" and it worked.
But where comes the hash from?
It's actually the CRC32 of the raw bytes comprising the X.509 subject
(extracted from the issuer of the last certificate in the chain). We do
this because it's easy to calculate within iPXE without adding extra code.
The "?subject=..." parameter is added for server-side debugging; if you
see requests for an unknown CRC32, then the extra parameter gives you
some way to find out what the client was looking for.
You can calculate the CRC32 in Perl using Digest::CRC::crc32(), though
extracting the subject raw bytes is non-trivial since there is no CPAN
module which does it neatly.
Michael
_______________________________________________
ipxe-devel mailing list
[email protected]
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
