Why do I see ‘server’s certificate validation is enabled. OC cannot connect to an older server version’ when starting Operator Client?
Question
Why do I see ‘server’s certificate validation is enabled. OC cannot connect to an older server version’ when starting Operator Client?
📚 Overview:
Answer
This ‘The server’s certificate validation is enabled. Operator Client cannot connect to an older server version’ message appears because BVMS 13.0 introduced enhanced certificate validation to improve data security and prevent potential network attacks.
Note: Certificate-based HTTPS communication is being prepared, but the full implementation is planned for a future version (after 13.0).
See BVMS v13.0 Release Note > 2.1 New functionality (ID 239762):
When installing BVMS 13.0 Operator Client, there is a new setup option to enable certificate validation.
When starting the BVMS installer and selecting the Operator Client, a new option is queried which allows to enable the feature
By default the feature is disabled, enable it here if required
If this feature is enabled, the Operator Client verifies the Management Server’s certificate before connecting, at startup.
If the Management Server is running a version earlier than BVMS 13.0, the connection will be blocked, and the Operator Client will not start.
If valid certificate, Operator Client starts automatically and no further interaction is required.
It is possible to uncheck the TLS certificate validation option by doing following steps:
Run the BVMS regular installer setup > there will be 3 options (Modify, Repair and Remove) > click Modify > click next until you reach the TLS option page and click to uncheck the option.
Recap before BVMS 13.0:
BVMS Operator Client did not validate the Management Server Certificates
It was possible to use self signed certificates (individual customer certificates for BVMS), but this required a comprehensive manual workaround (configuration on windows level)
--> not supported out of the box.HTTPS connections between cameras and BVMS were based on username and password, not on certificates.
What's new in BVMS 13.0?
The BVMS Operator Client can now validate Management Server certificates, if this option is enabled during installation.
Why? To enhance data security and help prevent man-in-the-middle attacks.Out of the box certificate replacement is being prepared, but the full implementation is planned for a future version (after 13.0).
Certificate-based HTTPS communication is being prepared, but the full implementation is planned for a future version (after 13.0).
BVMS 13.0 Certificates overview
VmsRoot
🔐 Server-Side Certificate
New in BVMS 13.0
Root CA certificate for BVMS
Purpose: Issues certificates VmsLeaf and VmsInt
VmsInt
🔐 Server-Side Certificate
New in BVMS 13.0
Intermediate "Leaf- certificate" issued by VmsRoot
Purpose: Internal BVMS communication between services
(e.g. Management Server service ↔ Workstation monitoring, Metadata Service, OIDC Authorization provider, REST API used for only internal BVMS, File encryption/decryption)
VmsLeaf
🔐 Server-Side Certificate
New in BVMS 13.0
Leaf certificate issued by VmsRoot
Purpose:
WCF-based communication: Operator Client/Configuration Client/Config wizard to Management server + internal Management Server communication
gRPC-based communication: Workstation Monitoring, Metadata service towards Management server Services
REST-based communication: Operator Client / OIDC Web-browser towards Management Server (Authorization Provider service, REST service)
VmsClient
💻 Client-Side Certificate
New in BVMS 13.0
Purpose: Operator Client internal communication (e.g. Alarm-Queue interface),
but not used for Management Server communication
Other optional services:
Bosch VMS CA, 🔐 Server-Side Certificate, already available before BVMS 13.0, not new.
Purpose: used for Person identification device (TRS) connectionBvmsLPRserver, 🔐 Server-Side Certificate, already available before BVMS 13.0, not new.
Purpose: Tattile LPR camera connection
Operator Client Startup Scenarios in BVMS 13.0
Operator Client and Management Server are running on separate systems (hardware/operating system)
If 🔐 TLS certificate validation is enabled during setup, the Operator Client checks the Management Server’s certificate at startup:
✅ Valid certificate → Client starts automatically. No further interaction required.
⚠️ Untrusted certificate → User is prompted to review and choose to trust or cancel.
Warning message: Certification chain can not be built to a trusted root Authority.⚠️ If the certificate is invalid (e.g. expired) → User is prompted to review and choose to trust or cancel.
❌ Revoked or critically invalid certificate → Connection is blocked; Client cannot start.
🔄 Server version < 13.0 → Connection is blocked; Client cannot start.
BVMS 13.0 Operator Client does not connect to an older version Management Server (feature = enabled).
Fig 1.) No further dialog query when starting the Operator Client: Server Certificates are trusted:
Message: “Verifying credentials…”
Fig 2.) Connect to Server: Certification chain not possible to build, not trusted. Query to nevertheless trust is displayed.
Message: “The identity of the server cannot be verified. Contact your system administrator”
Fig 3.) Example: Certificate on Server side is for example expired
Message: “The identity of the server cannot be verified. Contact your system administrator”
Fig 4.) Certificate on Server side is revoked (manipulated or Privat key is compromised)
Message: “The identity of the server cannot be verified. Contact your system administrator”
Fig 5.) Connection from BVMS >=13.0 Operator Client to an older BVMS server version e.g. 12.0 Connection not possible!
Message: “The server’s certificate validation is enabled. Operator Client cannot connect to an older server version“
Details of the feature
When upgrading to BVMS 13.0, all previously used BVMS certificates are deleted during the process.
Certificate validation (if enabled) applies to all Operator Client to Management Server connections, except:
Connections over SSH or Enterprise environments are not validated yet; this will be supported in future BVMS versions.
Server SDK to Management Server connections are also not validated yet, even if the feature is enabled. This will be added in future BVMS releases.
For OIDC clients (OpenID Connect feature) connecting to the Management Server:
The default browser handles validation.
To avoid validation errors, export the VmsRoot certificate from the Management Server OS and import it into the OS where the OIDC browser runs (usually the Operator Client).
Important for BVMS Server SDK 3rd party applications using BVMS .dll files:
After upgrading the Management Server to 13.0, you must update these applications by replacing the old .dll files with the new BVMS 13.0 versions.
Do not change the hostname or IP address of the Management Server OS after installing/upgrading to BVMS 13.0, because both are part of the VmsRoot certificate used for validation by the Operator Client.
If you must change them, use the special tool BvmsSvcPreReqInstaller.exe to update and “repair” the certificate accordingly.
This tool comes with every BVMS 13.0 installation and is located here on the Management Server OS:
C:\Program Files\Bosch\VMS\binThe tool runs via command line (no user interface) and supports install parameters.
Nice to know:
For a better understanding of using BVMS v13.0, we encourage you to join our BVMS 13.0 - Technical and Commercial Introduction "Online" Training from KEENFINITY Academy!