Skip to main content

Default Root Certificates

DSF-TeamAbout 6 min

A number of trusted certificate authorities (CAs) are included in the DSF docker images fhir_proxy, fhir, bpe_proxy and bpe by default. Root and intermediate certificates as well as the configured usage of issuing CAs as either server, client oder server and client CA are listed at the end.

Extending or Replacing Trusted Certificate Authorities

X.509 certificates of default trusted CAs are stored as .pem files containing multiple certificates in the docker images and can be replaced by either using docker bind mounts or configuring appropriate environment variables with different targets.

FHIR Reverse Proxy

Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option SSLCACertificateFile) as well as the CA Certificates for defining acceptable CA names (option SSLCADNRequestFile).
Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:

Note: Default file location are relative to the docker image work directory /usr/local/apache2.
Also Note: Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables SSL_EXPECTED_CLIENT_S_DN_C_VALUES and SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.

FHIR Server

Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of remote DSF FHIR servers and the OIDC provider when using OpenID Connect for authenticating local users.
Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:

Note: Default file location are relative to the docker image work directory /opt/fhir.

BPE Reverse Proxy

Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates (Apache httpd mod_ssl configuration option SSLCACertificateFile) as well as the CA Certificates for defining acceptable CA names (option SSLCADNRequestFile).
Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:

Note: Default file location are relative to the docker image work directory /usr/local/apache2.
Also Note: Using non default .pem files for the environment variables above may require also modifying the default values of the environment variables SSL_EXPECTED_CLIENT_S_DN_C_VALUES and SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.

BPE Server

Defaults are configured for the list of issuing, intermediate and root CAs used for validating client certificates as well as root CAs used for validating server certificates of local and remote DSF FHIR servers, the local mail server (if configured and SMTP over TLS required) and the OIDC provider when using OpenID Connect for authenticating local users.
Use the following environment variable to configure non default .pem files or override the existing files using docker bind mounts:

Note: Default file location are relative to the docker image work directory /opt/bpe.

List of Default Trusted Certificate Authorities

If not mentioned explicitly, issuing CAs listed will sign X.509 certificates with Extended Key Usage entries TLS WWW server authentication and TLS WWW client authentication.

CAs Trusted by Common Web Browsers and Operating Systems

Other CAs