Skip to main content

Encryption of the Boot Application, Download, and Online Change

Tip

For more information about security and encryption in CODESYS see: CODESYS Security.

Aim: You want to encrypt boot applications, downloads, and online changes with a certificate to make sure that the application on the controller cannot be exchanged at will. To do this, you need to download a corresponding certificate of the type "Encrypted Application" from the controller and install it to the "Windows Certificate Store" of your computer. This certificate is required for all development environments that need to make changes to the application on the controller. For example, if this application has to be downloaded from another computer, then the certificate also has to exist on this computer.

Encrypting the boot application, download, and online change with the encryption wizard

Requirement: The active path to the controller is configured.

  1. Open the Properties dialog of the application.

  2. Click the Security tab. Set Protection to Encryption with certificates.

    The Encryption Wizard button is available in the Certificates for encryption field.

  3. Click the Encryption Wizard button.

    The Encryption Wizard dialog opens. The status is Not connected and Ready is displayed in Details.

  4. Click the Start button.

    The wizard searches for suitable certificates on the controller. If necessary, the controller creates a new certificate which is registered in the Certificate Store of your computer.

    NOTE: A certificate acquired this way is automatically accepted as trusted.

    If a certificate for application encryption already exists on the controller, then that one is used.

    If a new certificate has to be created on the controller for your CODESYS, then the Certificate Settings dialog opens to configure the key length for the private key and the validity period.

  5. In the Certificate Settings dialog, click OK to confirm the default or edited values for key length and validity period.

    CODESYS saves the values in the CODESYS options as the default for the next certificate configuration of this kind.

    In the Details of the wizard, you see a description of the performed actions and the thumbprint of the recently created certificate.

  6. When the status reaches Wizard finished, close the wizard.

    The new certificate is listed in the Certificates for encryption field of the properties dialog. In the Certificate Store, it is listed under Controller Certificates. In the Security Screen view, on the Devices tab, the certificate is displayed in the right window with the Encrypted Application information.

  7. Confirm the Properties dialog of the application.

  8. Open the Security Screen view.

    On the Project tab, in the Encryption of Boot Application, Download, and Online Change group, the certificate is displayed with the Encrypted Application information.

    Boot application, download, and online change are therefore encrypted and only possible as long as the configured certificate and signature are valid.

Encrypting the boot application, download, and online change without the encryption wizard

Requirement: The active path to the controller is configured. There is still no certificate on the controller which is suitable and valid for encryption. The CODESYS Security Agent is installed, which includes the Security Screen, Devices view.

  1. To open the Security Screen view, double-click the _cds_icon_cyber_screen_grey.png symbol in the status bar or click View → Security-Screen. Open the Devices tab.

  2. Click the _cds_icon_synchronization.png Refresh List of Available Devices and Their Certificate Stores button.

  3. On the left side, select the device.

  4. On the right side, select Encrypted Application and click the Create New Certificate on Device button.

    The certificate is created and listed in the table with the _cds_icon_cert_private_key.png symbol.

  5. Double-click the certificate entry.

    The Windows Certificate default dialog opens.

  6. On the General tab, click Install Certificate.

    The Certificate Import Wizard starts.

  7. In the Certificate Store dialog, select the Place all certificates in the following store option and select the Controller Certificates folder for Certificate Store.

    The controller certificate is imported into the Windows Certificate Store in the Controller Certificates folder. Now the certificate is available for the encryption of boot applications, downloads, and online changes.

  8. Open the Project tab and double-click the application entry in the Encryption of Boot Application, Download, and Online Change group.

    The Properties dialog of the application opens.

  9. Click the Encryption tab and set Encryption Technology to Encryption with certificates. Then click _cds_icon_cert_store_open.png.

    Note: If the Enforce encryption of downloads, online changes, and boot applications option is selected in the Security Screen, then Encryption with certificates is already preset.

  10. In the Certificate Selection dialog, select the respective certificate from the Controller Certificates folder and click _cds_icon_arrow_up.png.

  11. Click OK to confirm the dialog.

    The certificate is displayed in the properties dialog.

  12. As above when using the wizard, steps 7 and 8.

Enforcing the encryption of boot applications, downloads, and online changes

  • In the Security Screen, open the Users tab. In the Security Level group, select the Enforce encryption of downloads, online changes, and boot applications option.

    Only with a valid certificate is it possible to change the application on the controller.

: