To enable support for the HTTPS protocol, you must enable the DOWNLOAD_PROTO_HTTPS build configuration option. PXE also supports code signing, which allows you to verify the authenticity and integrity of files downloaded by iPXE. The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA. If you want more control over the crypto example of trust, then you can generate your own private root certificate ca.
For example, to trust your private root certificate ca. This will create a custom version of the iPXE binary ipxe. You can specify multiple root certificates to trust. Certificates must be in PEM format. The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default. You must also create a minimal CA configuration file ca. This will create a cross-signed certificate startcom-cross.
This allows you to extend the trust from your private root certificate to include certificates signed by startcom. You can generate a new code-signing certificate codesign. You can now use this certificate to sign a binary that will then be trusted by iPXE. This will create the signature file vmlinuz.