1

We have a Mirth server which is not under a support contract which needs to POST to a client-certificate authenticated HTTPs service. Since the certificate is self-signed, adding it to appdata\keystore.jks doesn't seem to work.

How can I explicitly specify a client certificate for a HTTP Sender destination without forking over the big bucks?

Freiheit
  • 8,408
  • 6
  • 59
  • 101
Mitch
  • 21,223
  • 6
  • 63
  • 86
  • Possible duplicate of [Does Mirth connect 3.6 open source supports HTTP without using SSL manager](https://stackoverflow.com/questions/51831891/does-mirth-connect-3-6-open-source-supports-http-without-using-ssl-manager) – Freiheit Sep 27 '18 at 20:30
  • @Freiheit, I agree - they are very similar. I don't think it is a duplicate since I was talking about a _client_ certificate rather than the more common untrusted server certificate. The solutions are similar, though. – Mitch Sep 27 '18 at 23:18
  • my mistake. I see that you are asking a narrowly focused question on mutual TLS rather than the broad question from the other user. – Freiheit Sep 28 '18 at 15:15

1 Answers1

3

Create an nginx reverse proxy. That way, Mirth only has to connect on HTTP - nginx submits the client certificate.

For windows:

  1. Unzip nginx
  2. Update conf\nginx.conf
  3. Set to start as a service with nssm

I replaced nginx.conf with the below to keep things simple, listening only on http://127.0.0.1:8106/:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    server {
        listen 127.0.0.1:8106;
        server_name localhost;

        location / {
            proxy_pass https://upstream-server;

            # To generate a key&crt from pfx:
            # openssl pkcs12 -in client-certificate.pfx -nocerts -out client-certificate.key -nodes
            # openssl pkcs12 -in client-certificate.pfx -clcerts -nokeys -out client-certificate.crt

            proxy_ssl_certificate "C:/path/to/nginx-1.15.3/conf/client-certificate.crt";
            proxy_ssl_certificate_key "C:/path/to/nginx-1.15.3/conf/client-certificate.key";
        }
    }
}
Mitch
  • 21,223
  • 6
  • 63
  • 86