TLS - Windows Certificate Store

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

TLS - Windows Certificate Store

#1 Post by amal.jesudas »

Hi,

Can someone provide an insight on the possibility of using certificates from Windows Certificate Store ?
Is it possible to check the same using the existing tools that have TLS support?
Any guidance will be valuable.

Thanks & Regards,
Amal

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: TLS - Windows Certificate Store

#2 Post by Marco Eichelberg »

In brief, no, not directly. DCMTK uses OpenSSL, which maintains its own certificate store.
It is possible, though, to export the certificates from the Windows cert store and import them into OpenSSL.
You can find sample code for this on Stackoverflow https://stackoverflow.com/questions/950 ... cate-store.

However, in general I would advise against using the Windows certificate store for DICOM connections. This comes pre-loaded with dozens of root certificates that are useful for web browsing but should never occur in a DICOM connection. You really want to restrict the DICOM layer to the root certificate of the CA that has issued the certificates for the medical devices in the network, and not accept and certificate issued by, say, Let's Encrypt.

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: TLS - Windows Certificate Store

#3 Post by amal.jesudas »

Thanks Marco for taking time to clarify my query.

We are trying to limit the use of physical files in our implementation and use the store for certificate management.
I have already explored the possibility of exporting to openssl.
Also, I get the point regarding the number of root certificates in store.
In the actual environment that involves DICOM transmission, we plan to limit the number of certificates in store to the bare minimum.
Just out of curiosity, can I know if Windows store is still not advisable even if we take enough precautions to limit the number of certificates in store?

Thanks & Regards,
Amal

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: TLS - Windows Certificate Store

#4 Post by Marco Eichelberg »

Hard to say. My guess would be that once you have pruned the Windows Certificate Store to a state that can be considered safe for the usage in the DICOM context, it will cause problems with other tools that use it (e.g. the Edge browser).

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: TLS - Windows Certificate Store

#5 Post by amal.jesudas »

Thanks Marco.
Will have this in mind and will keep an eye for the same.
Will report back if and when they occur so that it would help some others too.

Regards,
Amal

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 1 guest