Hello,
With the help of some of the posts in this BB, I have successfully created a certificate for use in storescp-tls and storescu-tls. However, I'm getting error message "DUL secure transport layer: certificate verify failed".
Here's what I did:
1) create certificate:
openssl genrsa -out ca.key 2048
openssl req -config openssl.cfg -new -x509 -days 365 -key ca.key -out ca.crt
2) open listening port 104
storescp-tls -v 104 +tls ca.key ca.crt
3) send dicom file
storescu-tls localhost 104 c:\test.dcm +tls ca.key ca.crt
Enter passphrase: ********
Error messages:
storescu: Association Request failed:
0006:031b Failed to establish connection
0006:0317 Peer aborted Association (or never connected)
0006:031e DUL secure transport layer: certificate verify failed
At the storescp-tls window, i get this verbose error message:
DUL secure transport layer: tlsv1 alert unknown ca
What am I doing wrong? Please advise
about tls certificate
Moderator: Moderator Team
-
Jörg Riesmeier
- ICSMED DICOM Services
- Posts: 2217
- Joined: Fri, 2004-10-29, 21:38
- Location: Oldenburg, Germany
This is from an old description from one of my colleagues:
The problem is that storescp does not recognize the Certification Authority (CA) that has issued storescu's certificate (i.e. your CA). To quickly solve that problem, first of all, you can switch off certificate verification using storescp's --ignore-peer-cert command line option. You will have to use the same option with storescu as well.
To permanently solve the problem, you should either load the CA certificate into storescp and storescu, e.g.
or you should set up a directory containing trusted CA certificates. OpenSSL requires that these certificates have special filenames created with the OpenSSL command "openssl x509 -hash". For example, create a directory:
Now use openssl to determine the required filename:
(Will print a 8-digit hash code)
Rename your CA certificate file:
Now you can call storescp with:
This procedure seems complex but it has the advantage that you can have multiple trusted CA certificates in that directory, and still have a very efficient look-up (through the filename based on a hash code of the CA's X.509 distinguished name).
Hope this helps.
The problem is that storescp does not recognize the Certification Authority (CA) that has issued storescu's certificate (i.e. your CA). To quickly solve that problem, first of all, you can switch off certificate verification using storescp's --ignore-peer-cert command line option. You will have to use the same option with storescu as well.
To permanently solve the problem, you should either load the CA certificate into storescp and storescu, e.g.
Code: Select all
storescp --add-cert-file ca_cert.pem ...Code: Select all
mkdir certs
copy ca_cert.pem mycerts
cd mycerts
Code: Select all
openssl x509 -in ca_cert.pem -noout -hashRename your CA certificate file:
Code: Select all
rename ca_cert.pem <hashcode>.0Code: Select all
storescp --add-cert-dir mycerts ...Hope this helps.
Who is online
Users browsing this forum: Bing [Bot] and 1 guest