Announcement

Collapse
No announcement yet.

Configuring Mirth SSL Plugin to use a Custom Certificate Authority?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring Mirth SSL Plugin to use a Custom Certificate Authority?

    How can I configure Mirth (with SSL Plugin) to use a non-standard certificate authority to allow for receiving and sending to hosts that have certificates created from that CA?

  • #2
    Originally posted by mirraraenn View Post
    How can I configure Mirth (with SSL Plugin) to use a non-standard certificate authority to allow for receiving and sending to hosts that have certificates created from that CA?
    You just need to add the root (CA) certificate to the truststore.
    Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

    Nicholas Rupley
    Work: 949-237-6069
    Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


    - How do I foo?
    - You just bar.

    Comment


    • #3
      Originally posted by narupley View Post
      You just need to add the root (CA) certificate to the truststore.
      When you're talking about the truststore, do you mean the 'CACerts' keystore located at the java directory\lib\security\cacerts or with the keystore created and loaded for Mirth itself? I've added it to the first one, but not the second one because it says in the SSL plugin manager guide that it isn't used for HTTP Senders (but is still required).

      Comment


      • #4
        Originally posted by mirraraenn View Post
        When you're talking about the truststore, do you mean the 'CACerts' keystore located at the java directory\lib\security\cacerts or with the keystore created and loaded for Mirth itself? I've added it to the first one, but not the second one because it says in the SSL plugin manager guide that it isn't used for HTTP Senders (but is still required).
        Neither. You need to add it to appdata/truststore.jks and restart the Mirth Connect server. You should not be touching the Mirth Connect keystore (appdata/keystore.jks) at all.

        As I said here as well, in 3.1 we're completely overhauling the SSL Manager plugin to be much easier to use. I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
        Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

        Nicholas Rupley
        Work: 949-237-6069
        Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


        - How do I foo?
        - You just bar.

        Comment


        • #5
          Originally posted by narupley View Post
          Neither. You need to add it to appdata/truststore.jks and restart the Mirth Connect server. You should not be touching the Mirth Connect keystore (appdata/keystore.jks) at all.

          As I said here as well, in 3.1 we're completely overhauling the SSL Manager plugin to be much easier to use. I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
          Thanks Narupley, this helped very much. For anyone viewing this thread with the same problem, what you need to do is to:
          1. Navigate to http://portecle.sourceforge.net/ and launch the Portecle tool.
          2. Once it has launched, navigate to the Mirth application files and open the truststore.jks file located at %MirthAppdataFolder%\appdata\truststore.jks (in my case on x64 Windows it was C:\Program Files\Mirth Connect\appdata\truststore.jks).
          3. You will be prompted for a password, which you will need to get from the mirth.properties file at %MIrthAppDataFolder%\conf\mirth.properties. It will look similiar to this
          keystore.storepass = XXXXXXXXX
          4. Once opened, select the import certificate button and load the trusted CA certificate whose sites you will be trying to connect to.
          5. I am not sure if this keystore is refreshed or not while Mirth is running, do you need to restart Mirth to have it refresh its certificate trust? That would be the final step if it were necessary.

          I have a separate issue now that this is fixed, but will address it in a separate thread. Thanks again!

          Comment


          • #6
            Originally posted by narupley View Post
            I highly recommend watching this (starts at 7:19): http://www.mirthcorp.com/protected-c...eveloper-qa-73
            This was very helpful. Do you have a similar demo for when using SSL Tunnels?

            Comment


            • #7
              mirth service keeps restoring original keystore

              I added a certificate and root certificate to keystore.jks but whenever the service starts it recreates the original one. Then I tried creating an entirely new keystore with a different name and modified mirth.conf to point to it, but when the service starts it replaces that one with the original keystore. Any way around this?

              Comment


              • #8
                Originally posted by chapanovich View Post
                I added a certificate and root certificate to keystore.jks but whenever the service starts it recreates the original one. Then I tried creating an entirely new keystore with a different name and modified mirth.conf to point to it, but when the service starts it replaces that one with the original keystore. Any way around this?
                You just need to use the alias "mirthconnect" for your cert chain entry. That's what the server looks for when it starts up.
                Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

                Nicholas Rupley
                Work: 949-237-6069
                Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


                - How do I foo?
                - You just bar.

                Comment

                Working...
                X