News
B
BCI-Team
Moderator

OUTDATED - MES Certificate Advisory - Important Update: New Certificate Rollout for RDP on Windows Servers

Dear Valued Customers,

We are writing to inform you about an important update regarding the rollout of new certificates for Remote Desktop Protocol (RDP) on newly ordered Windows servers. This change is crucial for maintaining the security and functionality of your Manufacturing Execution System (MES).

Context

BD is rolling out a new certificate for RDP on Windows 2022 servers. This new certificate has the same common name (CN) as conventional TLS certificates, which is the Fully Qualified Domain Name (FQDN). Unfortunately, this overlap prevents some MES services from starting correctly. The technical reason behind this issue is that several MES services read the TLS certificate from the Windows Certificate Store using only the common name as a selection criterion. This affects all services based on the Foundation SDK.

Solution

To address this issue, you must replace the existing TLS certificates with a new and "extended" version. This new certificate will include an additional "subject alternative name" (SAN), allowing you to assign a customized common name (CN) while still providing the FQDN of the respective machine. This is necessary for the final TLS server validation. Please start this process not before  September 25th 2024 as this would decrease the lifespan of the certificate.

 

Required steps

1

Order (new) TLS Certificate

1) Create Mail that provides the additional SAN for the certificate and send it to [email protected] before sending CSR via https://rb-trustcenter.de.bosch.com/sslmanagement

Email Template

Subject: Additional SAN entry for CSR "MyServername.de.bosch.com-TLS"

Body:
Dear RBTrustCenter Team,

please add the following SAN entry to the CSR for the CN “MyServername.de.bosch.com-TLS” that will be arriving shortly:

MyServername.de.bosch.com

Thank you in advance!

2) Create CSR (How to order SSL certificate: https://inside-docupedia.bosch.com/confluence/x/RbECtg)

 

2

Backup

Store your old certificate in a separte location.

3

Import new TLS certificate

Import the received certificate from RBTrust center to the machines certificate store.

 

4

Adjust configuration of all affected MES Services

Insert new common name of TLS certificate having the TLS-suffix (see step 1)

  • Most commonly this is done within the "OpCon.Settings.xml" file
  • BCI will subsequently provide the exact configuration location for all modules

 

If you need help with any of these steps do not hesitate to ask your BCI sales representative for a corresponding quote for support from experienced BCI colleagues.