Flexboot now will contain only a single trusted root certificate (the “iPXE root CA” certificate). To use a standard SSL certificate issued by a public CA (such as Verisign), iPXE must be able to download a cross-signed certificate to complete the chain of trust up to the “iPXE root CA” certificate. These cross-signed certificates are downloaded automatically when needed from http://ca.ipxe.org/auto.
For more information, see full description on https://ipxe.org/crypto and https://ipxe.org/cfg/crosscert.
To use a private CA trust, Flexboot must get the Trust CA fingerprint as a configuration from the FlexBoot menu, must download the root certificate to complete the chain of trust. Flexboot can download the root CA from the Http URI that was configured in the FlexBoot Menu "Cross-Signed CA URI".