Certificates of the PLC

For general information about certificates in the CODESYS Development System environment, see: Certificates for CODESYS and PLC

When handling PLC certificates, the role of the "user" must be differentiated. The system operator needs to make sure that only a user in the role of system administrator can configure and renew certificates in the PLC certificate store. Only a system administrator may also modify the certificate revocation list on the PLC.

Certificate store of the PLC, Windows Certificate Store

The configuration of the PLC certificate store defines the use cases for which the PLC expects valid certificates from CODESYS Development System. These must then be installed on your computer in the local Windows Certificate Store.

CODESYS makes it easier to create and manage the necessary PLC certificates using encryption wizards and the Security Screenview, Devices tab. Alternatively, you could also use the PLC Shell commands of the device editor. At both locations, you can view the certificate store of the currently connected PLC and create certificates. Both locations also provide an overview of all "use cases" on the PLC for which a certificate is required. They show whether a certificate already exists. Examples of use cases: Encrypted communication, OPC UA Server.

In the use case, CODESYS first checks whether the required certificates are available as Trusted Certificates in the local Windows Certificate Store.

Self-signed certificates

If a valid certificate has not yet been installed locally on the PLC for an application, then you can generate a self-signed certificate on the Security Screen or via the PLC Shell on the controller so that you can continue working with it immediately. The self-signed certificate is initially created in the Own Certificates category. You can move it later to the Trusted Certificates category so that the PLC trusts it in future. For example, certificates are classified as untrusted due to a blacklist, or they are in quarantine for explicit verification because the PLC itself was unable to immediately check them. After checking is completed, you can move certificates to the Trusted Certificates category. You can also delete certificates from the PLC. For more information, see: Generating Self-Signed Certificates

CA-signed certificates

To achieve a higher level of security, you should replace a self-signed certificate with a CA-signed certificate. If you do not yet have a CA-signed certificate, then you can request one from a CA office (Certificate Signing Request, CSR). To do this, export the relevant PLC certificate file from the Security Screen or via the PLC Shell to the local file system. After the signed CA certificate has been returned, import it back into the PLC certificate store and the local Windows Certificate Store.

The direct generation of a CSR is possible via the SPS shell , and with CODESYS Security Agent V1.4.0.0 or higher also from Security-Screen (tab devices). For more information, see:

Note that the CA-signed certificate has applied the following entries from the CSR: Key Usage, Extended Key Usage, Subject Alternative Name, each with the Critical flag.

For more information, see: Requesting and Providing CA-Signed Certificates via the PLC Shell

Multiple certificates for the same use case

If multiple certificates are available on the PLC for one use case, then the system uses the following ordered steps to determine which certificate to use:

Renewal of certificates

The system operator needs to make sure that a certificate is renewed in time. For more information, see: Renewing a Certificate

Certificate revocation list

The certificate revocation list can currently only be exchanged via the PLC Shell. Only the system administrator of the system operator should be able to exchange the blacklist.