dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorEngineering interfaces and toolsdl-breadcrumb-item__separatorCODESYS Security Agentdl-breadcrumb-item__separatorEncryption of the Boot Application, Download, and Online Change
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Encryption of the Boot Application, Download, and Online Changedl-permalink__symbolPermalink

Encrypted and signed applications

An application can be encrypted and signed in order to protect a running application in a PLC and to protect a configured project. How to set-up the user management, the communication and the boot application in order to prevent unauthorized access is explained in an ‎⮫ application note.

Aim: You want to encrypt boot applications, downloads, and online changes with a certificate to make sure that the application on the controller cannot be exchanged at will. To do this, you need to download a corresponding certificate of the type "Encrypted Application" from the controller and install it to the "Windows Certificate Store" of your computer. This certificate is required for all development environments that need to make changes to the application on the controller. For example, if this application has to be downloaded from another computer, then the certificate also has to exist on this computer.

See also

Encrypting the boot application, download, and online change with the encryption wizard

Requirement: The active path to the controller is configured.

  1. Open the “Properties” dialog of the application.

  2. Click the “Encryption” tab. Set “ Encryption Technology” to “Encryption with certificates”.

    The “Encryption Wizard” button is available in the “Certificates” field.

  3. Click the “Encryption Wizard” button.

    The “Encryption Wizard” dialog opens. The status is ‎Not connected‎ and under “Details” is ‎Ready‎.

  4. Click the “Start” button.

    The wizard searches for suitable certificates on the controller. If necessary, the controller creates a new certificate which is registered in the Certificate Store of your computer.

    NOTE: A certificate obtained this way is automatically accepted as trusted.

    If a certificate for application encryption already exists on the controller, then it is used.

    If a new certificate has to be created on the controller for your CODESYS, then the “Certificate Settings” dialog opens for configuring the key length for the private key and the validity period.

  5. In the “Certificate Settings” dialog, click “OK” to confirm the default or edited values for key length and validity period.

    CODESYS saves the values in the CODESYS options as the default for the next certificate configuration of this kind.

    In the “Details” of the wizard, you see a description of the performed actions and the thumbprint of the recently created certificate.

  6. When the status reaches “Wizard finished”, close the wizard.

    The new certificate is listed in the “Certificates” field of the properties dialog. In the “Certificate Store”, it is listed under “Controller Certificates”. In the “Security Screen” view, on the “Devices” tab, the certificate is displayed in the right window with the “Encrypted Application” information.

  7. Confirm the “Properties” dialog of the application.

  8. Open the “Security Screen” view.

    On the “Project” tab, in the “Encryption of boot application, download and online change” group, the certificate is displayed with the “Encrypted Application” information.

    Boot application, download, and online change are therefore encrypted and only possible as long as the configured certificate and signature are valid.

See also

Encrypting the boot application, download, and online change without the encryption wizard

Requirement: The active path to the controller is configured. There is still no certificate on the controller that is suitable and valid for encryption.

  1. Open the “Security Screen” view by double-clicking the _cds_icon_cyber_screen_grey symbol in the status bar or by clicking View  Security Screen. Open the “Devices” tab.

  2. Click the _cds_icon_synchronization “Refresh the list of available devices and their certificate stores” button.

  3. Select the device listed on the left side.

  4. Select “Encrypted Application” on the right side and click the “Create a new certificate on the device” button.

    Change the default key length to 4096. Otherwise an error occurs that is only visible in the log of the PLC.

    The certificate is created and listed in the table with the _cds_icon_cert_private_key symbol.

  5. Double-click the certificate entry.

    The Windows “Certificate” default dialog opens.

  6. Click the “Install certificate” button on the “General” tab.

    The “Certificate Import Wizard” opens.

  7. In the “Certificate Store” dialog, select the “Place all certificates in the following store” option and select the “Controller Certificates” folder for “Certificate Store”.

    The controller certificate is imported to the “Controller Certificates” directory and it is immediately available for the encryption of downloads, online changes, and boot applications.

  8. Open the “Project” tab and double-click the application entry in the “Encryption of boot application, download and online change” group.

    The “Properties” dialog of the application opens.

  9. Click the “Encryption” tab and set “Encryption Technology” to “Encryption with certificates”. Then click _cds_icon_cert_store_open. Note: If the “Enforce encryption of downloads, online changes and boot applications” option is selected in the “Security Screen”, then “Encryption with certificates” is already preset.

  10. In the “Certificate Selection” dialog, select the corresponding certificate from the “Controller Certificates” folder and click _cds_icon_arrow_up.

  11. Click “OK” to confirm the dialog.

    The certificate is displayed in the properties dialog.

  12. As above when using the wizard, steps 7 and 8.

Enforcing the encryption of boot applications, downloads, and online changes

  1. Open the “Users” tab in the “Security Screen”. In the “Security level” group, select the “Enforce encryption of downloads, online changes and boot applications” option.

    Only with a valid certificate is it possible to change the application on the controller.

See also

  • CODESYS Help: "Security-Screen"