SanteDB Software Publishers
Verified Extension Publishing
This page is still evolving - check back later when the publisher program documentation is complete.
What is a Publisher?
SanteDB requires all deployments, extensions, customizations, etc. be digitally signed by the a trusted certificate before the SanteDB server software will load and use the extension, screen, business rule, etc.
Digital signatures ensure:
The software you're loading into your SanteDB environment is authentic and has not been tampered with.
The publisher of the extension/publisher is trusted by the SanteDB community and has been vetted.
When an extension or package has been vetted and signed, the applet will appear with a digital signature indicator:
It is possible to disable the verified publisher status check on SanteDB software however this is not recommended as SanteDB will load any package files uploaded to it.
Becoming a Publisher
To become a SanteDB software publisher, we've implemented a relatively low overhead, while ensuring trusted publishers can reliably use and leverage the SanteDB platform.
Collecting Necessary Documentation
SanteDB does not issue publisher certificates to anyone who asks for them, the community first considers the applicant's history, community participation, and ability to write software. You may be asked to provide the following information:
The country/jurisdiction you're interested in leveraging SanteDB
The size of your company/group (# of developers, time in business, previous projects, etc.)
A publicly available website which describes your company/group/project
Optionally validation that you are a legitimate business such as a Duns and Bradstreet DUNS Number (example: Fyfe Software Inc.), Google Business page, or other government registration
Your group has developers with an understanding of the SanteDB platform.
Applying for Publisher Certificate
Once you've collected the appropriate documentation you will need to apply for a publisher certificate. To do this:
Contact the SanteSuite team at info@santesuite.com including the documentation you have available above. You should send this request from an official e-mail (i.e. not gmail or hotmail)
The SanteSuite team will schedule an interview with your group and will discuss your project and publisher requirements, how SanteSuite can provide assistance, etc. (this interview also ensures the applicant is a real person)
You will be invited to submit a CSR (Certificate Signing Request) , this is a process whereby your developers generate a private digital signature key and request SanteSuite Community sign it.
Generating Certificate Signing Request
In order to request a code signing certificate, first generate a Private Key and CSR. In Microsoft Windows this is done using the Certificates panel in MMC . In OpenSSL to generate a private key:
After the key is generated you'll need to create a CSR:
The e-mail address must be a registered domain for your company or project, generic addresses from Gmail or Hotmail will not be signed.
Using your Publisher Certificate
When your group has completed the sign up process, you will receive an e-mail with your X509 code signing certificate, the SanteSuite Community Signing Certificate chain. You will have to combine these with your private key to create a PKCS12 (.pfx
) file.
To do this in OpenSSL:
When packaging applets/extensions/etc. you will need to sign these applications, when packaging your applets:
If you're using SDK version 2.1.85 or higher on Microsoft Windows, you can also reference your signing key by placing it in your personal certificate store (via MMC) and referencing the thumbprint:
Always protect your private key and code signing certificate. You should never share or disclose it.
Frequently Asked Questions
Do I need to be a registered publisher to use SanteDB?
No, you do not need a publisher certificate to run and/or operate SanteDB. You also do not need a publisher certificate to:
Create custom data-sets
Create custom matching configurations
Do I need to be a registered publisher to contribute to SanteDB projects?
No, you can freely develop, test, modify and change the SanteDB core applets (and SanteMPI, SanteGuard, SanteEMR, etc.) without a publisher certificate. You will simply not be able to publish your changes as though they are SanteSuite's (i.e. you will need to initiate a pull request and SanteSuite will sign the changes when they are built into a release of the product)
Do I need a publishing certificate to develop my own Applets?
No, you can run and develop applets without a publisher signing key. You will be limited to the SDK and iCDR/dCDR servers which have been configured to ignore unsigned packages.
How long to publisher certificates last?
Publisher certificates are issued depending on the project, the partner, and community guidelines. Certificates are issued usually for 365 days from issuance (1 year) however longer publisher certificates can be arranged upon request.
If my certificate expires, will my extensions still work?
Yes, your extensions are timestamped when they are packaged into an applet. Software can still be executed, however you will not be able to publish new versions.
Last updated