@sebastian-roth Thanks, we gave that a go and now there is an error with the chainloading failing. So progress from denied.
Researching the error on ipxe (3e11623b) the error seems to be based on the lack of a DNS server. Currently these custom certs don’t have the IP address of the fog server as part of the certificate SAN, so we’re going to see if a certificate with the SAN containing the IP and hostname resolves this error.