Security: iPXE Anywhere HTTPS and Security Certificates | 2pint Knowledge Base

Security: iPXE Anywhere HTTPS and Security Certificates

Applies to

iPXE Anywhere

Intro

2Pint iPXE Anywhere can be configured to communicate over HTTPS for customers who have highly secure environments that require such channels.

There are a number of different Certification Authorities on each part of the chain which need to trust each other in order for communication to happen between the various components that make up the iPXE Anywhere infrastructure.

Info

The iPXE Anywhere component has a 2PintSoftware.crt embedded into the software which is issued by the 2PintSoftware Root CA.

Also embedded in the iPXE Anywhere software is an iPXE.org.crt CA certificate issued from their Root CA (CA.iPXE.com) which in turn trusts the Root Public CAs such as Verisign etc

The iPXE Anywhere service on a client needs to establish a connection with the 2PXE server. This is hardcoded to http as the service is not aware if the server point is configured to accept HTTPS traffic. In future versions there will be some configuration available around security options for this initial request and if this is important for your enterprise then please contact us for an update. The initial response will tell the client if it should utilize a secured channel and then, if so, the service can establish an https connection with the 2PXE Server over the default Port of 8050 (a different Port may be configured through DHCP option #252). Assuming that all is well and the Server has been properly configured to use https, the 2PXE server will then return the .ipxe script file over the SSL tunnel and the iPXE anywhere client can now get on with connecting to the configured resources as directed in the .iPXE script and perform some of that ol’ iPXE Anywhere magic.

Next the client needs to connect to the DP.

Using the embedded 2PintSoftware.crt the 2Pint 2PXE server cross signs with the Clients/Customers CA.crt (their Public Certificate). This cross signed certificate is then returned to the client over the secure channel. The iPXE client can now contact the DP to request an SSL secure connection. The DP will reply requiring that the iPXE client use the Customers Certificate to secure communication. The client will do this as it holds a cross signed certificate which allows it to trust the Customer CA.

The next step in this security trust matrix is the client authentication.

The DP now requests authentication from the client. The client forwards a list of certificates for which it holds private keys. One of these must be the Private Key held by the DP. This is extracted from the Configuration Manager server registry and is used in the creation of a .key and .crt files which in turn is forwarded to the client. Once the DP has checked that the client does indeed hold the required Private Keys full communication and file sharing can commence over the secured channel.

The above is a Configuration Manager based scenario where the Certificate and Private Key can be passed to the client by the DP when requested. In a non-CM environment there is some further configuration required as the customer must create and distribute the cross signed certificate manually. If you require assistance with this please feel free to contact the 2Pint Support team or search the Knowledge Base as hopefully, by the time you are reading this, a document on this