dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorEngineering interfaces and toolsdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorCODESYS Security Agentdl-breadcrumb-item__separatorReference, User Interfacedl-breadcrumb-item__separatorView 'Security Screen' - 'Devices'
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
View 'Security Screen' - 'Devices'dl-permalink__symbolPermalink

Symbol: _cds_icon_cyber_screen_grey

Function: The tab allows for the configuration and the transfer of controller certificates for encrypted communication with the controller.

Call: Menu bar: “View”

The “Devices” tab shows all PLC devices configured in the project and their certificate store. If the communication path to the controller is configured, then you see the certificates that are stored in memory. Here you can create and configure new certificates on the controller. If a certificate currently in use is about to expire, then you get a warning when you log in to the device. From there you can also switch directly to the “Security Screen” to renew the certificate.

Left side: “Information”

Devices and certificate store

Shows the individual devices _csa_icon_device as expandable nodes, each with the controller-specific _csa_icon_cert_store_open certificate store below it.

Toolbar (left side)

_csa_icon_refresh: Refresh the display

_csa_icon_download_cert: Download: Transfer the selected certificate to the PLC

Right side:

“Information”

If the active path to the controller is set and a device node is selected, then every use case for controller certificates is displayed on the right side.

  • “OPC UA Server”: Encrypted communication over an OPC UA server

  • “Encrypted Communication”: Encrypted communication between the development system and the controller

  • “Encrypted Communication”: Encryption of the boot application

  • “Web server”: Encrypted communication with the web server

As long as a certificate is not available for one of these use cases, it is displayed with the _csa_icon_certificate_not_available symbol as “(not available)”.

When a certificate store is selected on the left side, all certificates in it are displayed on the right side with the following information:

“Information”: Use case (currently the controller component in question is displayed: for example “CmpSecureChannel”.)

“Created for”: Name of the computer for which the certificate was created (for example, “MyLocalPC”)

“Created by”: Name of the computer on which the certificate was created (for example, “MyLocalPC”)

“Valid as of”: Date (for example, “07/20/2017 15:09:29”)

“Valid until”: Date (example: “07/20/2022 00:00:00”. Depending on the remaining time of the certificate, the highlight color of the field changes: green -> yellow (two-thirds expired) -> orange (nine-tenths expired) -> red (expired). Note: When logging in to the controller, you get a warning when two-thirds or more of the validity period have expired. Then you can renew the certificate here in the “Security Screen”.

“Thumbprint”: Hash value from specific properties of the certificate for purposes of identification (for example, “279e1a46b86bd636c8e6f19fd51c222469ec49a8”)

This thumbprint can be used together with the Mqtt library. Refer to the Mqtt library documentation in the Library Manager.

Double-clicking a certificate entry opens the default Windows “Certificate” dialog. As a result, you can import a controller certificate into the Windows Certificate Store in the “Controller Certificates” folder, so that it is available for the encryption of boot applications, downloads, and online changes.

If multiple certificates are available for one use case, then the system follows the steps below to determine the certificate that is used:

  • Certificate that was created directly by the user (currently not supported)

  • Filtering of existing certificates by:

    • 1. Subject (user of the certificate)

    • 2. Key usage

    • 3. Extended key usage

    • 4. Valid time stamp

  • Dividing of detected, valid certificates as "signed" and "self-signed"

  • Filtering of signed certificates, and the self-signed certificates by the following criteria:

    • 1. Longest validity period

    • 2. Strongest key

Drag&Drop: Moving of the certificate to another certificate store of the same device

Double-clicking a certificate entry opens the default Windows dialog for displaying all certificate information.

Toolbar (right side)

_csa_icon_create_cert: Creates a new certificate for a specific use case

The “Certificate Settings” dialog opens for configuring the “Validity period” of the certificate and the “Key length” for the private key. Clicking “OK” saves the specified values in the CODESYS options. The values are reset at the next operation.

As long as the certificate is being created, "“(computing)”" is shown after the use case. You cannot cancel the creation operation, but you can close and continue working with the “Security Screen”.

_csa_icon_delete_cert: Delete the selected certificate.

_csa_icon_upload_cert: Upload and save the selected certificate to the local file system.

I_csa_icon_details_certificate: Details about the selected certificate: Opens the “Certificate” dialog with the “General” tab, “Details” tab, and “Certification Path” tab.

_csa_icon_recreate_certificate: Renew the selected certificate. Opens the “Certificate Settings” dialog to create an additional new certificate for a certificate that will expire soon, with the same purpose and specified key length. The predefined values in the dialog are adapted, if necessary, depending on the selected certificate.