When I used storescu (as the requester )and storescp (as the receptor) to establish TLS secure connection, I met the error mentioned in the subject.
Following are some basic information about my testing:
dcmtk-3.6.7
dcmtk-3.6.7-win64-support-MT-iconv-msvc-17.0
Steps are listed as below:
1. Produce ca private key and self-signed ca certificate using the following cmds:
openssl genpkey -algorithm RSA -out cert/ca_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/ca_key.pem -out cert/ca_cert.csr
openssl x509 -req -days 365 -in cert/ca_cert.csr -signkey cert/ca_key.pem -out cert/ca_cert.pem
2. Calculate the hash value of ca_cert.pem and rename it with 30f7f4fa.0 using the following cmd:
openssl x509 -hash -noout -in cert/ca_cert.pem
3. Produce the private key and certificate for SCU side with ca certificate 30f7f4fa.0:
openssl genpkey -algorithm RSA -out cert/scu_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/scu_key.pem -out cert/scu_cert.csr
openssl x509 -req -in cert/scu_cert.csr -CA cert/30f7f4fa.0 -CAkey cert/ca_key.pem -days 365 -out cert/scu_cert.pem
4. produce the private key and certificate for SCP side with ca certificate 30f7f4fa.0:
openssl genpkey -algorithm RSA -out cert/scp_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/scp_key.pem -out cert/scp_cert.csr
openssl x509 -req -in cert/scp_cert.csr -CA cert/30f7f4fa.0 -CAkey cert/ca_key.pem -days 365 -out cert/scp_cert.pem
5. Put 30f7f4fa.0 under directory cert/trustedLists and copy folder cert to the directory where storescp is.
6. Run storescp as the following:
storescp -d -v --enable-tls cert/scp_key.pem cert/scp_cert.pem --add-cert-dir cert/trustedLists --profile-bcp195 --cipher TLS_RSA_WITH_AES_256_CBC_SHA 104
7. Run storescu as the following:
storescu -d -v --enable-tls cert/scu_key.pem cert/scu_cert.pem --add-cert-dir cert/trustedLists --profile-bcp195 --cipher TLS_RSA_WITH_AES_256_CBC_SHA 192.168.3.1 104 cert/20230811_115336.dcm
(Please note: storescp and storescu use the same cert/trustedLists, where only 30f7f4fa.0 exists)
And the following error popped up on storescp side:
E: Receiving Association failed: 000b:0c18 TLS error: tlsv1 alert unknown ca
I made a lot of investigation and still couldn't find any clue to resolve it.
If possible, would you please help me for it?
[Dicom] TLS reports "unknown CA" error when testing storescu and storescp with self-signed CA certificate
Moderator: Moderator Team
-
- OFFIS DICOM Team
- Posts: 1511
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: [Dicom] TLS reports "unknown CA" error when testing storescu and storescp with self-signed CA certificate
The steps all seem to be correct. My guess is that your self-signed CA certificate is lacking the X.509 extension that marks it as a CA certificate.
When printing the content of the certificate with
You need to specify this in a configuration file that is passed to OpenSSL in the "openssl req" call. There is a Perl script (intended to be used on Linux) in the DCMTK source repository (see here: https://github.com/DCMTK/DCMTK/blob/mas ... cmtk_ca.pl ) that manages all that. Try generating a CA certificate with that script and compare the output with yours.
When printing the content of the certificate with
openssl x509 -in <filename.pem> -nooout -text
, you should see the following X.509 extensions:Code: Select all
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Who is online
Users browsing this forum: Ahrefs [Bot] and 1 guest