[Dicom] TLS reports "unknown CA" error when testing storescu and storescp with self-signed CA certificate

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
cailian
Posts: 1
Joined: Mon, 2024-12-30, 16:03

[Dicom] TLS reports "unknown CA" error when testing storescu and storescp with self-signed CA certificate

#1 Post by cailian »

When I used storescu (as the requester )and storescp (as the receptor) to establish TLS secure connection, I met the error mentioned in the subject.

Following are some basic information about my testing:
dcmtk-3.6.7
dcmtk-3.6.7-win64-support-MT-iconv-msvc-17.0

Steps are listed as below:
1. Produce ca private key and self-signed ca certificate using the following cmds:
openssl genpkey -algorithm RSA -out cert/ca_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/ca_key.pem -out cert/ca_cert.csr
openssl x509 -req -days 365 -in cert/ca_cert.csr -signkey cert/ca_key.pem -out cert/ca_cert.pem

2. Calculate the hash value of ca_cert.pem and rename it with 30f7f4fa.0 using the following cmd:
openssl x509 -hash -noout -in cert/ca_cert.pem

3. Produce the private key and certificate for SCU side with ca certificate 30f7f4fa.0:
openssl genpkey -algorithm RSA -out cert/scu_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/scu_key.pem -out cert/scu_cert.csr
openssl x509 -req -in cert/scu_cert.csr -CA cert/30f7f4fa.0 -CAkey cert/ca_key.pem -days 365 -out cert/scu_cert.pem

4. produce the private key and certificate for SCP side with ca certificate 30f7f4fa.0:
openssl genpkey -algorithm RSA -out cert/scp_key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -new -key cert/scp_key.pem -out cert/scp_cert.csr
openssl x509 -req -in cert/scp_cert.csr -CA cert/30f7f4fa.0 -CAkey cert/ca_key.pem -days 365 -out cert/scp_cert.pem

5. Put 30f7f4fa.0 under directory cert/trustedLists and copy folder cert to the directory where storescp is.

6. Run storescp as the following:
storescp -d -v --enable-tls cert/scp_key.pem cert/scp_cert.pem --add-cert-dir cert/trustedLists --profile-bcp195 --cipher TLS_RSA_WITH_AES_256_CBC_SHA 104

7. Run storescu as the following:
storescu -d -v --enable-tls cert/scu_key.pem cert/scu_cert.pem --add-cert-dir cert/trustedLists --profile-bcp195 --cipher TLS_RSA_WITH_AES_256_CBC_SHA 192.168.3.1 104 cert/20230811_115336.dcm
(Please note: storescp and storescu use the same cert/trustedLists, where only 30f7f4fa.0 exists)

And the following error popped up on storescp side:
E: Receiving Association failed: 000b:0c18 TLS error: tlsv1 alert unknown ca

I made a lot of investigation and still couldn't find any clue to resolve it.
If possible, would you please help me for it?

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1512
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: [Dicom] TLS reports "unknown CA" error when testing storescu and storescp with self-signed CA certificate

#2 Post by Marco Eichelberg »

The steps all seem to be correct. My guess is that your self-signed CA certificate is lacking the X.509 extension that marks it as a CA certificate.
When printing the content of the certificate with openssl x509 -in <filename.pem> -nooout -text, you should see the following X.509 extensions:

Code: Select all

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
You need to specify this in a configuration file that is passed to OpenSSL in the "openssl req" call. There is a Perl script (intended to be used on Linux) in the DCMTK source repository (see here: https://github.com/DCMTK/DCMTK/blob/mas ... cmtk_ca.pl ) that manages all that. Try generating a CA certificate with that script and compare the output with yours.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest