Mercurial > hg > orthanc-book
changeset 649:22e3868d2eb1
Securing Orthanc with a client certificate and access it using a Web browser
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Mon, 26 Apr 2021 18:41:12 +0200 |
| parents | fcd2c2b66297 |
| children | 9e7c58e1725b |
| files | Sphinx/source/faq/https.rst |
| diffstat | 1 files changed, 49 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/Sphinx/source/faq/https.rst Mon Apr 26 11:18:11 2021 +0200 +++ b/Sphinx/source/faq/https.rst Mon Apr 26 18:41:12 2021 +0200 @@ -74,9 +74,7 @@ { "SslEnabled" : true, "SslCertificate" : "/tmp/certificate.pem" - } - - + } Querying Orthanc using HTTPS @@ -177,10 +175,10 @@ } -Securing Orthanc with mutual TLS authentication -............................................... +Securing Orthanc peers with mutual TLS authentication +..................................................... -.. highlight:: bash +.. highlight:: json Once HTTPS is enabled, Orthanc can also be configured to accept incoming connections based on a certificate provided by the client. @@ -213,4 +211,48 @@ :ref:`DICOMweb client <dicomweb-client>`. An example of such a setup with instructions to generate the -certificates is available `here <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__ . \ No newline at end of file +certificates is available `here +<https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/tls-mutual-auth/>`__. + + +.. _client-certificate-web-browser: + +Securing Orthanc with a client certificate and access it using a Web browser +............................................................................ + +.. highlight:: bash + +Firstly, create a PEM certificate for the Orthanc HTTPS server, and another +PKCS12 certificate for the client:: + + $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout server.key -out server.crt -subj "/C=BE/CN=localhost" + $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout client.key -out client.crt -subj "/C=BE/CN=localhost" + $ cat server.key server.crt > server.pem + $ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 + +In the last step, you'll have to provide a password (that can be +empty). + +.. highlight:: bash + +Secondly, start Orthanc using the following configuration file for Orthanc:: + + { + "SslEnabled" : true, + "SslCertificate" : "server.pem", + "SslVerifyPeers": true, + "SslTrustedClientCertificates": "client.crt" + } + +Thirdly, install the PKCS12 client-side certificate ``client.p12`` in +your Web browser. For instance, check out `these instructions for +Mozilla Firefox +<https://security.stackexchange.com/questions/163199/firefox-certificate-can-t-be-installed>`__. + +You are then able to access Orthanc using HTTPS encryption, with +cryptographic identification of a client Web browser. Note that +because the certificate is self-signed, the Web browser will warn +about a potential security risk. +