dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separatorAutomation Builderdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorSecurity dl-breadcrumb-item__separatorWhat to do when... dl-breadcrumb-item__separatorCA-Signed Certificates Preferred (PLC Shell) dl-breadcrumb-item__separatorRequesting and providing a CA-signed certificate
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Requesting and providing a CA-signed certificate dl-permalink__symbolPermalink

Requirement: You are connected to the controller.

  1. First, you generate a certificate request for all required certificates or components (CSR = Certificate Signing Request). These can also become client certificates (for example, for the OPC UA client). To do this, click the “PLC Shell” tab of the controller. In the input line, type in the ‎cert-createcsr‎ command.

    Syntax: ‎cert-createcsr [<number retrieved by \"cert-getapplist\">] [encoding=Base64 | ASN.1]‎

  2. Click the “Log” tab and then click the _cds_icon_update.png refresh button.

    In the log entries, you can see that the CSR files were generated.

  3. Click the “Files” tab and open the file path ‎cert/export‎ in the right side of the “Runtime” dialog.

    The ‎export‎ folder contains the generated CSR files.

    Example: ‎0_CmpsecureChannl.csr, 1_CmpApp.csr, 2_CmpWebServer.csr‎

  4. Select a file path where you want to insert the CSR files in the left side of the “Host” dialog, mark the CSR files in the right side of the dialog, and click _cds_button_double_arrow_left.png.

    The CSR files are copied to the required folder.

  5. These certificate requests can be signed by a certificate authority (CA). As a result, you get a certificate signed from the certification authority.

  6. In the steps that follow, you import these signed certificates to your controller.

    After restarting the controller, the CA-signed certificates are used automatically.

    Alternatively, you could also use the 0_Global: Product Security Agent to transfer the certificates to the controller. For more information, see: CODESYS Security Agent.

  7. Select the “Path” ‎cert/import‎ in the right side of the “Runtime” dialog.

  8. In the left side of the “Host” dialog, select the path in the file system where you saved the signed certificates and selected the certificates.

  9. Click _cds_button_double_arrow_right.png.

    The certificates are copied to the ‎cert/import‎ folder.

  10. Click the “PLC Shell” tab.

  11. Type the ‎cert-import own <file name of the certificate.cer>‎ command in the input line of the tab and press the [Enter] key.

    The signed certificates are available to the runtime servers.

In the configuration file of the controller (for example, CODESYSControl.cfg), the name of the organization can be set in the certificate for an OPC UA server with the following entry:

‎[CmpOPCUAServer]‎

‎SECURITY.CompanyOrOrganizationName="<organization name>"‎

If the CODESYS Security Agent installed, there is also an option to change the device security settings on the tabcommunication of the device editor.