Navigation:  Software Prerequisites > Installing an X.509 SSL Certificate

These instructions for the installation of an X.509 certificate as a software prerequisite apply to the RIS only. A certificate is not required to use ImageServer, however, if you are attempting to create your own certificate, please read the notes for using a self-generated certificate.

Why Do I Need an X.509 Certificate?

The ClearCanvas RIS/PACS has been created using the .NET framework, and one component of that framework, WCF, is what we use to secure communication between applications. As a requirement, WCF uses X.509 (SSL) certificates to encrypt and secure communication between applications. Currently, the only component which makes use of the certificate is the RIS which comprises of a server and client, where the client is within the ClearCanvas Workstation.

What this means for our product is that all communication between the RIS client the RIS server is secure in itself.  Regardless of whether or not the IIS server is using the SSL certificate for https, the RIS server uses it.  You can still enable https in IIS, but all it will be doing is encrypting those blank web pages for the preview pane since patient data from the RIS server is already encrypted via WCF.

Although it is not required, it is also possible to secure communication from your Internet Explorer web browser to the ImageServer using an SSL certificate.  Being accessed entirely through a web browser, this security for ImageServer relies only on IIS enabling SSL ecryption using the https protocol.

Requesting a Certificate

To obtain a certificate for the RIS you must prepare a Certificate Signing Request (CSR) within IIS on the computer the ClearCanvas RIS will be installed on.  Instructions are provided from most Certificate Authorities (CAs), here are a few examples: Comodo Support, Verisign Support.  Submit the CSR to the CA of your choice and purchase a certificate. Then install the certificate with the following procedure:

Using an X.509 certificate with RIS

When the RIS server starts up, it is configured to listen on an endpoint such as net.tcp://serverhostname:8000 where serverhostname is the hostname of the computer supplied in the CSR which, in turn, is the hostname the certificate is issued to.  Once the certificate has been installed, you cannot change the hostname of the computer or the certificate may no longer be valid and the RIS server will not be able to start.

When ClearCanvas Workstation has been installed as an integrated RIS client and ImageViewer, on startup, it will try to contact the RIS server at the specified endpoint and inspect the certificate in use. The certificate must be issued to the server hostname that matches the endpoint, must be issued by a recognized Trusted Root CA, and must not be expired. If any of these security checks fail, the client will not connect to the server.

If you have requested a certificate from a CA that is not recognized as a Trusted Root CA, you must update the Root Certificates store on both the server and client computers. This is usually necessary when you are requesting Test Certificates from the CA as these are usually issued by an unrecognized issuer. The Root certificates store can be updated through Windows Update or by adding the specific issuer certificate provided directly into the store as instructed by your CA.

For more details about the use of certificates, please refer to the RIS Admin Guide.

Using the Included Localhost Certificate

Alternatively, if you do not wish to purchase a certificate, there is a Local Client Only configuration option in the installer which can automatically insert a "localhost" certificate for you. This will allow you the convenience of running the RIS server and client without the need of requesting an SSL certificate, but is limited to allowing the client to connect to the server only when they are both installed on the same machine. Please see the RIS Installation section for more details.