Connect to PACS using dcmtk with TLS connection

Hi,

I am trying to connect to Orthanc PACS server using dcmtk applications such as echoscu, storescu through secure connection. With the help of documentation and forum, i am able to successfully connect to PACS through TLS connection using certificate and key files using command: echoscu localhost 4242 -aet ORTHANC +tls “orthanc-crt.pem” “orthanc-key.pem” ++add-cert-file “trusted-crt.pem” -ll info

I could see that without adding trusted certificate, the above command is failing. I found the reason from the web that: The problem is that Orthanc does not recognize the Certification Authority (CA) that has issued echoscu’s certificate (i.e. my CA). To solve that problem, we can either switch off certificate verification using --ignore-peer-cert command line option or we must use --add-cert-file option. My doubts are: is the --add-cert-file option necessary every time to connect to any PACS server such as hospital server and private server other than Orthanc ? As this option is needed because the PACS server couldn’t recognize my CA, if we have the certificates from known CA, will we still need this option? I mean if we are trying to connect to any hospital PACS server, do we need this --add-cert-file option? Thanks!

Hi Aruna,

At least for Orthanc, you must always provide the list of trusted certificates and I would assume that this is also the same for dcmtk.
If you are using certificates signed by well known CA, you can probably just provide your standard OS approved CA (e.g: /etc/ssl/certs/ca-certificates.crt on Debian based systems).

Disclaimer: not tested. Please share the results of your tests.

Best regards,

Alain.