changeset 649:22e3868d2eb1

Securing Orthanc with a client certificate and access it using a Web browser
author Sebastien Jodogne <s.jodogne@gmail.com>
date Mon, 26 Apr 2021 18:41:12 +0200
parents fcd2c2b66297
children 9e7c58e1725b
files Sphinx/source/faq/https.rst
diffstat 1 files changed, 49 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/Sphinx/source/faq/https.rst	Mon Apr 26 11:18:11 2021 +0200
+++ b/Sphinx/source/faq/https.rst	Mon Apr 26 18:41:12 2021 +0200
@@ -74,9 +74,7 @@
   {
     "SslEnabled" : true,
     "SslCertificate" : "/tmp/certificate.pem"
-  }
-  
-        
+  }      
 
 
 Querying Orthanc using HTTPS
@@ -177,10 +175,10 @@
   }
 
 
-Securing Orthanc with mutual TLS authentication
-...............................................
+Securing Orthanc peers with mutual TLS authentication
+.....................................................
         
-.. highlight:: bash
+.. highlight:: json
                
 Once HTTPS is enabled, Orthanc can also be configured to accept incoming
 connections based on a certificate provided by the client.
@@ -213,4 +211,48 @@
 :ref:`DICOMweb client <dicomweb-client>`.
 
 An example of such a setup with instructions to generate the
-certificates is available `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__ .
\ No newline at end of file
+certificates is available `here
+<https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__.
+
+
+.. _client-certificate-web-browser:
+
+Securing Orthanc with a client certificate and access it using a Web browser
+............................................................................
+
+.. highlight:: bash
+
+Firstly, create a PEM certificate for the Orthanc HTTPS server, and another
+PKCS12 certificate for the client::
+
+  $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+            -keyout server.key -out server.crt -subj "/C=BE/CN=localhost"
+  $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+            -keyout client.key -out client.crt -subj "/C=BE/CN=localhost"
+  $ cat server.key server.crt > server.pem
+  $ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
+
+In the last step, you'll have to provide a password (that can be
+empty).
+  
+.. highlight:: bash
+
+Secondly, start Orthanc using the following configuration file for Orthanc::
+
+  {
+    "SslEnabled" : true,
+    "SslCertificate" : "server.pem",
+    "SslVerifyPeers": true,
+    "SslTrustedClientCertificates": "client.crt"
+  }
+
+Thirdly, install the PKCS12 client-side certificate ``client.p12`` in
+your Web browser. For instance, check out `these instructions for
+Mozilla Firefox
+<https://security.stackexchange.com/questions/163199/firefox-certificate-can-t-be-installed>`__.
+
+You are then able to access Orthanc using HTTPS encryption, with
+cryptographic identification of a client Web browser. Note that
+because the certificate is self-signed, the Web browser will warn
+about a potential security risk.
+