How can Slicer be configured to cooperate with institutions that enforces SSL bumping and use self-signed certificates at the Firewall?

How can Slicer be configured to cooperate with institutions that enforces SSL bumping and use self-signed certificates at the Firewall?

This topic is discussed extensively here:

1 Like

A coworker that’s well versed in this language figured it out. Here’s what we had to do:

  1. Start slicer and open the extensions manager
    This created the folder ~/.pki/nssdb
  2. cd into ~/.pki/nssdb and run:
    certutil -d sql:. -A -n "File" -i "PathToCertificates/File.crt" -t "C,,"
    for each File in PathToCertificates (replace File in two places in the line above)
    This configures the root and intermediate SSL certificates for the Chromium browser that the extensions manager is built on
  3. cd into the folder that contains Slicer.crt (e.g. share/Slicer-5.6)
mv Slicer.crt Slicer.crt.old  # make a backup of the original
ln -s PathToCaCertificates/ca-certificates.crt Slicer.crt

This effectively replaces Slicer.crt with the system certificate store that needs to be used so that Slicer will trust downloading extensions.
4. export REQUESTS_CA_BUNDLE="PathToCaCertificates/ca-certificates.crt"
This will allow the Slicer Python environment to trust downloading Python packages.

3 Likes

not sure why “C,” (quote capital C comma comma end quote) rendered with only one comma

Thank you for sharing. This was very useful information and can solve the certificate problem when certificates rarely change.

Unfortunately, ZScaler and similar aggressive cybersecurity tools may generate new temporary SSL certificates frequently (every couple of days or so) and you would need to repeat all the steps when it happens. Usually the final solution is that your IT staff adds exceptions. The exact steps IT takes are usually kept confidential, so there are unfortunately no common best practices to share beyond what is described in the topic I referenced above.

It is some markdown formatting. To print verbatim text, you can put them between backticks.