Personal tools

3. Client Side certificates

From OpenEMR Project Wiki

Jump to: navigation, search


Owner of this task

OpenEMR and EHR Support

ViCarePlus HealthCare IT Services & Support

6559, SpringPath Lane, San Jose, CA, USA



MeaningFul Use Requirements

AR.FND 03.01 : Person or entity authentication: Provide the capability to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Proposed Solution

Enabling the Client validation improves the authentication by two level. This will ensure the client accessing the OpenEMR server has valid credentials.Application have a option to enable or disable this feature during the OpenEMR setup.


1.Configuring a Certificate Authority

2.Enabling client side authentication in apache

SSLCACertificateFile /etc/apache2/ssl/ca.crt
SSLVerifyClient require
SSLVerifyDepth 2

3.For each user creation, a new Client certificate is created and the same is signed by the Certificate Authority and the certificates are passed to each user via e-mail.

4.Users need to import their client certificates in the browser and the OpenEMR server validates the certificate.

5.Only the users with the valid certificate and username and password will be able to login to OpenEMR.

Note: If this functionality is disabled (through globals.php), then the user will be authenticated only by username and password.

Creation of Certificate Authority Certificate

OpenEMR setup tool itself is capable of creating all the required certificates in single click. Provisions are given to add third party certificates also.

Client Certificate Creation

When a new user is created inside the application, user certificate is also created and it is mailed to the user's email address, OpenEMR admin has the complete control over creation and sending the certificate to the user.

The user can then import his certificate in the browser.

Client Certificate Validity : OpenEMR admin can set the validity(in days) of the client certificate during setup. Once the validity gets expired admin can create/send a new certificate from the edit user form.

Configuration added in globals.php

//path to Certificate Authority crt file. Set this to full absolute path:
$certificate_authority_crt = "/Path/to/CertificateAuthority Certificate";

//path to Certificate Authority key file. Set this to full absolute path:
$certificate_authority_key = "Path/to/CertificateAuthority Key";

//Enable or Disable client Certificate Authentication
$is_client_authendication_enabled = "1";

//Default validity for Client certificate
$client_certificate_valid_in_days = "365";


Completed by ViCarePlus Team, Visolve.

Checkin status - Committed to the Sourceforge CVS

SF forum assocation: