dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorCODESYS Development Systemdl-breadcrumb-item__separatorProgramming of Applicationsdl-breadcrumb-item__separatorProtecting an application
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Protecting an applicationdl-permalink__symbolPermalink

You achieve the know-how protection and copy protection of a boot application with the help of PLC -specific license management and its settings in the object properties of the application. The download code and the boot application can be encrypted and signed.

Encryption with a dongle

Requirements: You have a project with an application that you want to download to the controller as an encrypted boot application. A security key for license management is connected to your computer.

  1. Select the application in the device tree.

  2. Select the “Properties” command in the context menu.

    The “Properties - <application name>” dialog opens.

  3. Click the “Security” tab.

  4. For “Encryption Technology”, select the “Simple Encryption” option and type the “Product Code” that you received from the hardware manufacturer for the controller. Depending on the controller, it is protected either by a security key (firmcode is shown automatically) or by an integrated Wibu memory card for example.

  5. Click Online  Login and download the application.

    If the matching security key and/or valid license is available, then you can download the application to the controller. By default, a boot application is automatically created at this time in the controller directory. The default setting is defined in the application “Properties”, in the “Boot Application” category.

  6. Logout, change the application, and login again.

    You are prompted to perform an online change. The dialog provides the option of updating the boot application on the PLC. If the security key and license match, then you can log in. If not, then you receive a corresponding message.

Encrypting with certificates

Requirements: You have a project with an application that you want to download to the controller as an encrypted boot application. In the Windows Certificate Store of your computer, you have a certificate of this controller for encrypting the application. Note: In case you want to download the application to different controllers, you will need the appropriate certificate for each controller.

  1. Select the application in the device tree.

  2. Select the “Properties” command in the context menu.

    The “Properties - <application name>” dialog opens.

  3. Click the “Security” tab.

  4. On “Encryption Technology”, select the “Encryption with certificates” option.

    The “Certificates” group is enabled.

  5. If there are not any certificates listed in the table, then click the _cds_icon_cert_store_open button.

    The “Certificate Selection” dialog opens for selecting a certificate from the local Windows Certificate Store.

  6. In the lower area, select a certificate and add it to the upper area by clicking the _cds_icon_arrow_up button, Click “OK” to confirm.

    The certificate is shown in the “Certificates” group of the “Encryption” dialog.

  7. Select the certificate and click “Apply” or “OK”.

    The certificate is now used to encrypt the application. It can only be transferred to the controller on computers that have an corresponding key installed in the Windows Certificate Store.

Signing a boot application only with a certificat (no encryption)

  1. Click _cds_icon_cyber_screen_blue in the status bar of CODESYS to open the “Security Screen” view. Then select a certificate with a private key for a user profile for the “Digital signature”. The procedure is described in the instructions "Configuring a certificate for the digital signature in a user profile".

  2. Double-click the certificate for the “Digital signature” in the “User” tab.

    The “Certificate” dialog opens.

  3. On the “Details” tab, click “Copy to file”.

    The “Certificate Export Wizard” starts.

  4. In the “Export Private Key” prompt, select the “No, do not export the private key” option.

  5. For “Export File Format”, select the “DER encoded binary X.509 (.CER)” option.

  6. In the next step, select a file name and the location for the certificate.

  7. After the last step “Finish”, a message appears that the export was successful.

  8. After successful export to CODESYS, open the device editor by double-clicking the controller in the device tree and selecting the “Files” tab for the file transfer.

  9. Select the “Path” ‎cert/import‎ in the right side of the “Runtime” dialog.

  10. On the left side of the dialog for “Host”, select the path in the file system where you saved the exported certificate and selected the certificate.

  11. Click _cds_button_double_arrow_right.

    The certificate is copied to the ‎cert/import‎ folder.

  12. Click the “PLC Shell” tab.

  13. Type the command ‎cert-import trusted <file name of the certificate.cer>‎ in the input line of the tab and press the [Enter] key. Note that the file name is specified with the extension ‎.cer‎; otherwise the certificate is not imported successfully.

    The certificate is created on the controller under ‎trusted‎. With this certificate, the controller can test the integrity of the boot application.

  14. Open the “Security Screen” by double-clicking _cds_icon_cyber_screen_grey in the status bar.

  15. If you want that downloads, online changes, and boot applications of your project are always encrypted, then select the “Enforce signing of downloads, online changes and boot applications” option in the “Security level” group on the “User” tab. To do this, the “Enforce encryption of downloads, online changes and boot applications” option also has to be selected.

Encrypting the download, online change, and boot application

Requirement: The CODESYS Security Agent add-on product is installed.

The “Security Screen” view provides an additional tab: “Devices”. This allows for the configuration of certificates for the encrypted communication with controllers. In this case, see the help for CODESYS Security Agent.

Alternatives:

If you the CODESYS Security Agent is not available to you, then you can proceed as follows by means of the PLC shell of the device editor:

In order to use certificates on the controller for the encryption of downloads, online changes, and boot applications, these certificates first have to be generated on the controller and loaded from the controller and installed in the Windows Certificate Store.

Requirement: You are connected to the controller.

  1. Open the device editor by double-clicking the controller in the device tree, and select the “PLC Shell” tab.

    The tab appears with a blank display window. Below that is a command line.

  2. Type ‎?‎ in the command line and press the [Enter] key.

    All commands are listed in the display window.

  3. Type the following command in the command line: ‎cert-getapplist‎.

    All used certificates are listed with information about components and availability with certificates.

  4. If no certificate is available for the ‎CmpApp‎ component, then type the command ‎cert-genselfsigned <Number of the Component in the applist>‎.

  5. Click the “Log” tab and then the refresh button (_cds_icon_update).

    The display shows whether or not the certificate was generated successfully.

  6. Type in ‎cert-getcertlist‎ and press the [Enter] key.

    Your own certificates are listed that can be used for encryption. The information ‎Number‎ and ‎Key usage(s)‎ are useful in the next step.

    ‎Number‎: The number is specified as a parameter in the next step.

    ‎Key usage(s): Data encryption‎ means that this is a certificate of the controller for a download, online change, and boot application.

  7. Export the required certificate by typing in the command ‎cert-export own 0‎ and press the [Enter] key. ‎0‎ is the ‎Number‎ of the certificate with ‎Key usage(s):‎‎Data encryption‎.

    The display shows that the certificate has been exported to a ‎cert‎ directory.

  8. Click the “Files” tab of the device editor.

  9. Click the refresh button (_cds_icon_update) in the right part of the dialog in “Runtime”.

    The list of files and directories is refreshed.

  10. Open the “cert” folder in the list and then the “export” subfolder.

  11. In the left part of the dialog in “Host”, open the directory where the certificate of the controller will be loaded.

  12. In the right part of the dialog, select the certificate that you have exported and click _cds_button_double_arrow_left.

    The certificate is copied to the selected directory.

  13. In the file explorer, go to the directory where the certificate was copied and double-click the certificate.

    The “Certificate” dialog opens and shows the information about this certificate.

  14. On the “General” tab, click “Install Certificate”.

    The “Certificate Import Wizard” starts.

  15. In the “Certificate Storage” dialog, for “Certificate Import Wizard”, select the “Store all certificates in the following store” option and then select the “Controller Certificates” folder.

    The controller certificate is imported into the Windows Certificate Store in the “Controller Certificates” folder. Now the certificate is available for the encryption of boot applications, downloads, and online changes.

  16. Open the “Security Screen” by double-clicking _cds_icon_cyber_screen_grey in the status bar.

  17. If you want that downloads, online changes, and boot applications of your project are always encrypted, then select the “Enforce encryption of downloads, online changes and boot applications” option in the “Security level” group on the “User” tab.

  18. Open the “Project” tab and double-click the application in the “Encryption of boot application, download and online change” area.

    The properties dialog of the application opens.

  19. Click the “Encryption” tab, select “Encryption with certificates” in the “Encryption technology” list box, and click _cds_icon_cert_store_open.

    If the “Enforce encryption of downloads, online changes and boot applications” option is selected in the “Security Screen”, then “Encryption with certificates” is already selected.

  20. In the “Certificate Selection” dialog, select the respective certificate from the “Controller Certificates” folder and click _cds_icon_arrow_up.

  21. Click “OK” to confirm the dialog.

    The certificate is displayed in the properties dialog.

  22. Confirm the properties dialog of the application.

    The certificate is shown on the “Project” tab of the “Security Screen” in the “Encryption of boot application, download and online change” group.

    The boot application, download, and online change are encrypted.

See also

Deleting a certificate for the encryption of boot application, download and, online change

Requirement: The CODESYS Security Agent add-on product is installed. A certificate with the information "Encrypted Application" is already installed on your computer.

  1. In the “Security Screen” view, on the “Project” tab, in the bottom view, click the entry for the application.

    The “Properties” dialog for the application opens with the “Encryption” tab.

  2. For “Encryption Technology”, select “Encryption with certificates”. In the “Certificates” group, click _cds_icon_cert_store_open.

  3. In the “Certificate Selection” dialog, delete the certificate as described above.

  4. Click “OK” to close the “Certificate Selection” dialog.

    The certificate is no longer displayed in the “Properties” dialog.

See also