Skip to main content

Encrypted Communication with Devices via Controller Certificates

Tip

For more information about certificates and security, see CODESYS: CODESYS Security.

Requirement: A digital signature for certificate exchange is configured.

We assume that there is still no certificate on the controller which is intended for encrypted communication. In the following steps, you will generate this kind of certificate and encrypt communication:

  1. Configure the active path to the controller.

  2. To open the Security Screen view, double-click the _cds_icon_cyber_screen_grey.png symbol in the status bar or click View → Security-Screen. Select the Devices tab.

  3. Click the _cds_icon_update.png button to refresh the list of available devices and their certificate stores.

  4. On the left side, select the corresponding device.

    On the right side, there is still no license listed for the Encrypted communication use case.

  5. On the right side, select Encrypted Communication and click the _csa_icon_create_certificate.png button to create a new certificate on the device. In the Certificate Settings dialog, click OK to confirm the default settings for Key length and Validity period.

    The certificate is generated and listed in the table with its properties. The symbol before Encrypted communication is now displayed like this: _csa_icon_create_certificate.png. The field in the "Valid until" column is highlighted in green because the remaining time is still at least two-thirds of the entire validity period.

  6. In this step, you activate encrypted communication with the controller:

    Open the Security Screen view of CODESYS (Users tab). In the Security Level group, select the Enforce encrypted communication option.

    As of this point, communication with all controllers is possible only as long as the certificate is valid on the controller and you have a key for it.

    The connecting line between the development system, the gateway, and the controller is displayed in yellow on the Communication Settings tab in the device editor of the controller.

    As an alternative to the Enforce encrypted communication option which was just described and which applies to all controllers, you can also encrypt communication with a specific controller only. To do this, open the Communication tab in the device editor of the controller. Click Encrypted Communication in the Device list box.

  7. Now log back in to the controller.

    A dialog opens with the notification that the certificate of the controller is not signed by a trusted source. In addition, the dialog displays information about the certificate and prompts for you to install it as a trusted certificate in the local store in the "Controller Certificates" folder.

  8. Confirm the dialog.

    The certificate is installed in the local store and you are logged in to the controller.

    In the future, communication with the controller will be encrypted automatically with this controller certificate.

    Note: When logging in to the controller, the expiration date of the certificate currently in use is checked. You get a warning if the remaining time is just one-third of the entire time or less. Then you can renew the certificate in time in the security screen.

: