Hi,
Can someone provide an insight on the possibility of using certificates from Windows Certificate Store ?
Is it possible to check the same using the existing tools that have TLS support?
Any guidance will be valuable.
Thanks & Regards,
Amal
TLS - Windows Certificate Store
Moderator: Moderator Team
-
- OFFIS DICOM Team
- Posts: 1444
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: TLS - Windows Certificate Store
In brief, no, not directly. DCMTK uses OpenSSL, which maintains its own certificate store.
It is possible, though, to export the certificates from the Windows cert store and import them into OpenSSL.
You can find sample code for this on Stackoverflow https://stackoverflow.com/questions/950 ... cate-store.
However, in general I would advise against using the Windows certificate store for DICOM connections. This comes pre-loaded with dozens of root certificates that are useful for web browsing but should never occur in a DICOM connection. You really want to restrict the DICOM layer to the root certificate of the CA that has issued the certificates for the medical devices in the network, and not accept and certificate issued by, say, Let's Encrypt.
It is possible, though, to export the certificates from the Windows cert store and import them into OpenSSL.
You can find sample code for this on Stackoverflow https://stackoverflow.com/questions/950 ... cate-store.
However, in general I would advise against using the Windows certificate store for DICOM connections. This comes pre-loaded with dozens of root certificates that are useful for web browsing but should never occur in a DICOM connection. You really want to restrict the DICOM layer to the root certificate of the CA that has issued the certificates for the medical devices in the network, and not accept and certificate issued by, say, Let's Encrypt.
-
- Posts: 36
- Joined: Tue, 2017-12-19, 11:49
Re: TLS - Windows Certificate Store
Thanks Marco for taking time to clarify my query.
We are trying to limit the use of physical files in our implementation and use the store for certificate management.
I have already explored the possibility of exporting to openssl.
Also, I get the point regarding the number of root certificates in store.
In the actual environment that involves DICOM transmission, we plan to limit the number of certificates in store to the bare minimum.
Just out of curiosity, can I know if Windows store is still not advisable even if we take enough precautions to limit the number of certificates in store?
Thanks & Regards,
Amal
We are trying to limit the use of physical files in our implementation and use the store for certificate management.
I have already explored the possibility of exporting to openssl.
Also, I get the point regarding the number of root certificates in store.
In the actual environment that involves DICOM transmission, we plan to limit the number of certificates in store to the bare minimum.
Just out of curiosity, can I know if Windows store is still not advisable even if we take enough precautions to limit the number of certificates in store?
Thanks & Regards,
Amal
-
- OFFIS DICOM Team
- Posts: 1444
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: TLS - Windows Certificate Store
Hard to say. My guess would be that once you have pruned the Windows Certificate Store to a state that can be considered safe for the usage in the DICOM context, it will cause problems with other tools that use it (e.g. the Edge browser).
-
- Posts: 36
- Joined: Tue, 2017-12-19, 11:49
Re: TLS - Windows Certificate Store
Thanks Marco.
Will have this in mind and will keep an eye for the same.
Will report back if and when they occur so that it would help some others too.
Regards,
Amal
Will have this in mind and will keep an eye for the same.
Will report back if and when they occur so that it would help some others too.
Regards,
Amal
Who is online
Users browsing this forum: No registered users and 1 guest