Helpful hint for creating custom SSL Certificates in TrueCrypt based OEMR installations

system · June 21, 2014, 10:00pm

wizard353 wrote on Saturday, June 21, 2014:

I’m installing OEMR in a TrueCrypt directory under Windows 7 to reduce the risk of a data breach if someone carries off the server box some night. I tried to follow the instructions to generate a custom SSL certificate provided by the excellent discussion at:

http://robsnotebook.com/xampp-ssl-encrypt-passwords

However, when I tried to execute the batch file provided with XAMPP “makecert.bat” to generate the SSL certificate according to the instructions provided, the batch file would crash. Upon examining the batch file, I found that it uses a relative directory shortcut to establish the working directory for the certificate creation process. It appears that Windows 7 will not permit you to “CD” (Change Directory) into a directory located within a TrueCrypt volume.

As provided, the makecert.bat file is:

@echo off
set OPENSSL_CONF=./bin/openssl.cnf

if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key

bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr

move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key

echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause

The instructions say to execute the command:

cd c:\xampp\apache

before executing the batch file. However, the default directory will not change if it is located within a TrueCrypt volume.

On my system, the full path to my apache directory within the TrueCrypt volume is:

O:\xampp\apache\

By rewriting the batch above with hard coded full file path descriptions, I could get the batch to execute correctly.

set OPENSSL_CONF=O:\xampp\apache\conf\openssl.cnf

ECHO DDS Customized Make SSL Cert 6-21-2014
if not exist O:\xampp\apache\conf\ssl.crt mkdir O:\xampp\apache\conf\ssl.crt
if not exist O:\xampp\apache\conf\ssl.key mkdir O:\xampp\apache\conf\ssl.key
O:\xampp\apache\bin\openssl req -new -out server.csr
O:\xampp\apache\bin\openssl rsa -in privkey.pem -out server.key
O:\xampp\apache\bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

set OPENSSL_CONF=
del O:\xampp\apache.rnd
del O:\xampp\apache\privkey.pem
del O:\xampp\apache\server.csr

move /y server.crt O:\xampp\apache\conf\ssl.crt
move /y server.key O:\xampp\apache\conf\ssl.key
echo
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was created.
echo.
pause

I hope this might be of help to someone else trying to accomplish the same task.

Dave

system · July 8, 2014, 5:30pm

penguin8r wrote on Tuesday, July 08, 2014:

Given recent events with regard to TrueCrypt, that may not be a good choice for data security going forward, although an attempt is being made to fully audit the last working releases of the TrueCrypt code for current vulnerabilities. Full disk encryption via LUKS on linux is proven to be secure and eliminates the possibility of data leakage if the machine is stolen. Those using a linux backend also have the option to pay for Gazzang’s excellent zNCrypt if going the commercial subscription based route is acceptable. The only decent free option I’m aware of for Windows at the moment is DiskCryptor. Otherwise you’re looking at commercial pay to play solutions or using Microsoft BitLocker, assuming it’s available on the OS version in use. Thieves have begun targeting servers containing medical information, either for their own use, or to resell the information to identity theft and online fraud criminal organizations.