====== Cross-signed certificate source ======

===== Name =====

    crosscert

===== Details =====

^ Type                | [[:cfgtype:string|String]]            |
^ DHCP option number  | 175.93                                |
^ ISC dhcpd syntax    | ''option ipxe.crosscert''             |

===== Examples =====

=== Set the cross-signed certificate source manually ===

    iPXE> set crosscert http://ca.ipxe.org/auto

=== Configure the cross-signed certificate source in ISC dhcpd ===

    # in /etc/dhcpd.conf
    option space ipxe;
    option ipxe-encap-opts code 175 = encapsulate ipxe;
    option ipxe.crosscert code 93 = string;
    
    option ipxe.crosscert "http://ca.ipxe.org/auto";

===== Description =====

Specifies the source URI for cross-signed CA certificates.

If no URI is explicitly specified, then the default URI [[http://ca.ipxe.org/auto]] will be used.

===== See also =====

  * ''[[:cfg:trust]]''
  * iPXE [[:crypto|cryptography]] guide
  * [[:cfg|List of all iPXE settings]]

===== Notes =====

By default, iPXE contains only a single trusted root certificate (the "iPXE root CA" certificate).  In order to use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the "iPXE root CA" certificate.  These cross-signed certificates are downloaded automatically when needed.

The current policy of ''ca.ipxe.org'' is to provide cross-signed certificates for almost all CAs that are trusted by the [[http://www.mozilla.org/firefox/|Firefox]] web browser.  Certificates remain valid for 90 days.  Cross-signed certificates are not provided for the following CAs:

  * China Internet Network Information Centre (CNNIC)((Following the issuance of an [[http://googleonlinesecurity.blogspot.co.uk/2015/03/maintaining-digital-certificate-security.html|unrestricted intermediate CA certificate used in an eavesdropping proxy server]]))

If you are booting using HTTPS on a private network with no access to [[http://ca.ipxe.org/auto]] then you may wish to create a local mirror, and use the ''crosscert'' setting to direct your clients to download the cross-signed certificates from your local mirror.  For example:

    option ipxe.crosscert "http://192.168.0.10/pub/mirror/ca.ipxe.org/auto";

If you are using a local mirror, then you will also need to provide an OCSP proxy service.

There is no need to use HTTPS to download the cross-signed certificates.  The cross-signed certificates are **not** automatically trusted simply because they have been downloaded from the server specified by the ''crosscert'' setting; they are trusted only because they have been signed by the "iPXE root CA" certificate.