For this to work trusted CAs need to be compiled into the iPXE binary. Since those can change you'll need to update that binary from time to time. Or ignore cert warnings, which reduces the security to plain HTTP.