Certificates for CODESYS and PLC
CODESYS supports the signing with X.509 certificates.
The certificates for encryption in CODESYS Development System or for communication with the PLC can be self-signed or CA-signed. Which certification level is used depends on the security demands. You can create certificates with special tools or in the CODESYS environment.
CA-signed certificates must be created by a trusted external Certification Authority (CA) or by a CA located at the operator's facility. To obtain a CA-signed certificate, you can send a self-generated certificate to a CA via a Certificate Signing Request (CSR) and then reinstall it on your computer or on the PLC.
Important
The CA uses the data from the CSR to create the X.509 certificate for the PLC. When signing the CSR, the transfer of the following "x509v3 extensions" from the CSR is required:
Key Usage, Extended Key Usage, Subject Alternative Name, each with the Critical flag.
You can create self-signed certificates yourself with your own private key, but they are not signed by a CA. When you create self-signed certificates in the CODESYS environment, you get help from dialogs and encryption wizards.
Tip
A self-signed certificate is useful for testing purposes or as a temporary solution until a CA-signed certificate is available.
Certificate management on the local Windows computer: Valid certificates for the encryption of a CODESYS project and for the exchange between the PLC and CODESYS Development System must be stored in the local Windows Certificate Store (certmgr) on your computer.
Tip
To install a certificate file from the local file system in the Windows Certificate Store, double-click the file in the file directory. Then the appropriate import wizard will help you.
Certificate management on the PLC is the responsibility of the system operator. For more information, see: Certificates of the PLC
The Security Screen provides an interface for certificate handling for the project as well as for the certificates required for communication with the PLC. In the case of communication between CODESYS and the PLC, the Security Screen provides an alternative to the corresponding commands in the PLC Shell of the device editor.
Package: In the CODESYS Package Designer
Project: In the Project Settings dialog
Individual POUS in the project: Using the functions of the
CmpX509Cert.librarylibraryLibrary: When saving in CODESYS as a compiled library file
Application code, boot application, download source code, online change: Note that immediate support for creating a certificate is provided in this case by an encryption wizard in the Properties dialog of the application.
Communication between the programming system and PLC: Note that immediate support for creating a certificate for encrypted communication with the controller is provided when you first connect to a protected controller. This certificate is initially only valid temporarily.
Communication between the Automation Server Connector via the Edge Gateway and the Automation Server: In V1.35.0.0 and higher of CODESYS Automation Server, you get help for setting up certificate-encrypted communication in the Quick Setup dialog.
Communication between a WebVisu and a web browser: On the Security Screen, Devices tab, (
CmpOpenSSLcomponent in the runtime system)Extended requirement in this case: For a certificate to be considered secure by the browser, it must have been signed by a certification authority.
Communication between a project and a remote TargetVisu: Immediate support at first startup if the runtime system requires encrypted communication.
Communication via OPC UA Server: On the Security Screen. When signing the CSR, the transfer of the following "x509v3 extensions" from the CSR is required:
Key Usage,Extended Key Usage,Subject Alternative Name, each with theCriticalflag.HTML5 visualization element: In the Visualization Element Repository dialog.