Generate a server certificate and private key (or obtain them from your PKI); place both PEM files in a directory accessible to the Orthanc process
In orthanc.json set DicomTlsEnabled to true, DicomTlsCertificate to the path of the server certificate PEM, DicomTlsPrivateKey to the key PEM, and optionally DicomTlsTrustedCertificates to a CA bundle for mutual TLS
Configure the DICOM TLS port in DicomPort (the IANA-registered well-known port for DICOM TLS is 2762, though any port may be used) and set DicomCheckModalityHost to true to enforce hostname verification
Register the TLS-enabled remote modality in the Modalities section with a UseDicomTls: true flag so that outbound C-STORE and C-FIND associations from Orthanc also use TLS
Test the TLS connection using dcmtk echoscu with --tls-key and --tls-cert options and confirm the association succeeds without certificate errors
Known gotchas
DICOM TLS secures the transport layer of the DIMSE protocol but does not provide application-layer authentication; combine TLS with Orthanc's Authorization plugin or network-level controls to restrict which clients may perform C-STORE or C-FIND
The BCP 195 TLS profile (based on RFC 8996 and RFC 9325) recommends TLS 1.2 or 1.3 and deprecates older cipher suites; some legacy PACS equipment only supports TLS 1.0 — confirm compatibility before enforcing minimum version
Intermediate CA certificates must be included in the certificate chain file; presenting only the leaf certificate causes remote peers to fail chain validation even if they trust the root CA
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp