3. Client Side certificates
From OpenEMR Project Wiki
Owner of this task
ViCarePlus HealthCare IT Services & Support
6559, SpringPath Lane, San Jose, CA, USA
MeaningFul Use Requirements
AR.FND 03.01 : Person or entity authentication: Provide the capability to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Enabling the Client validation improves the authentication by two level. This will ensure the client accessing the OpenEMR server has valid credentials.Application have a option to enable or disable this feature during the OpenEMR setup.
1.Configuring a Certificate Authority
2.Enabling client side authentication in apache
SSLCACertificateFile /etc/apache2/ssl/ca.crt SSLVerifyClient require SSLVerifyDepth 2
3.For each user creation, a new Client certificate is created and the same is signed by the Certificate Authority and the certificates are passed to each user via e-mail.
4.Users need to import their client certificates in the browser and the OpenEMR server validates the certificate.
5.Only the users with the valid certificate and username and password will be able to login to OpenEMR.
Note: If this functionality is disabled (through globals.php), then the user will be authenticated only by username and password.
Creation of Certificate Authority Certificate
OpenEMR setup tool itself is capable of creating all the required certificates in single click. Provisions are given to add third party certificates also.
Client Certificate Creation
When a new user is created inside the application, user certificate is also created and it is mailed to the user's email address, OpenEMR admin has the complete control over creation and sending the certificate to the user.
The user can then import his certificate in the browser.
Client Certificate Validity : OpenEMR admin can set the validity(in days) of the client certificate during setup. Once the validity gets expired admin can create/send a new certificate from the edit user form.
Configuration added in globals.php
//path to Certificate Authority crt file. Set this to full absolute path: $certificate_authority_crt = "/Path/to/CertificateAuthority Certificate"; //path to Certificate Authority key file. Set this to full absolute path: $certificate_authority_key = "Path/to/CertificateAuthority Key"; //Enable or Disable client Certificate Authentication $is_client_authendication_enabled = "1"; //Default validity for Client certificate $client_certificate_valid_in_days = "365";
Completed by ViCarePlus Team, Visolve.
Checkin status - Committed to the Sourceforge CVS
SF forum assocation: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3539294