dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorEngineering interfaces and toolsdl-breadcrumb-item__separatorCODESYS Security Agentdl-breadcrumb-item__separatorEncrypted Communication with Devices via Controller Certificates
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Encrypted Communication with Devices via Controller Certificates dl-permalink__symbolPermalink

Encrypted and signed applications

An application can be encrypted and signed in order to protect a running application in a PLC and to protect a configured project. How to set-up the user management, the communication and the boot application in order to prevent unauthorized access is explained in an ‎⮫ application note.

Requirement: A digital signature for certificate exchange is configured.

No certificate use in live system

No certificate use in live system

Self-signed certificates should never be used on production or public websites. The certificates that are created in the following steps are self signed.

We assume that there is still no certificate on the controller that is intended for encrypted communication. In the following steps, you generate this kind of certificate and encrypt communication:

  1. Configure the active path to the controller.

  2. Open the “Security Screen” view by double-clicking the _cds_icon_cyber_screen_grey symbol in the status bar or by clicking View  Security Screen. Select the “Devices” tab.

  3. Click the _cds_icon_update button to refresh the list of available devices and their certificate stores.

  4. Select the corresponding device on the left side.

    On the right side, there is still no license listed for the “Encrypted communication” use case.

  5. On the right side, select “Encrypted Communication” and click the _csa_icon_create_certificate button to create a new certificate on the device.

    Change the default key length to 4096. Otherwise an error occurs that is only visible in the log of the PLC.

    The certificate is generated and listed in the table with its properties. The symbol before “Encrypted communication” now appears as such: _csa_icon_create_certificate. The field in the "Valid until" column is highlighted in green because the remaining time is still at least two-thirds of the entire validity period.

  6. In this step, you activate encrypted communication with the controller.

    Open the “Security Screen” view of CODESYS (“Users” tab). In the “Security Level” group, select the “Enforce encrypted communication” option.

    As of this point, communication with all controllers is possible only as long as the certificate is valid on the controller and you have a key for it.

    The connecting line between the development system, the gateway, and the controller is displayed in yellow on the “Communication Settings” tab of the device editor of the controller.

    As an alternative to the “Enforce encrypted communication” option that was just described and which applies to all controllers, you can also encrypt communication with a specific controller only. To do this, open the “Communication” tab in the device editor of the controller. Click “Encrypted Communication” in the “Device” list box.

  7. Now log back in again to the controller.

    A dialog opens with the notification that the certificate of the controller is not signed by a trusted source. In addition, the dialog displays information about the certificate and prompts for you to install it as a trustworthy certificate in the local store in the "Controller Certificates" folder.

  8. Confirm the dialog.

    The certificate is installed in the local store and you are logged in to the controller.

    In the future, communication with the controller will be encrypted automatically with this control certificate.

    Note: When logging in to the controller, the expiration date of the certificate currently in use is checked. You get a warning if the remaining time is just one-third of the entire time or less. Then you can renew the certificate in time in the security screen.