Skip to main content

Encrypting and Signing a Project with a Certificate

Important

Using only write protection of the project file and access protection by means of permissions are not enough for know-how protection of the project POUs. Both CODESYS itself, Automation Platform plug-ins, and people with knowledge about the project file format can view or modify POUs created with CODESYS.

Tip

For general information about certificates in the CODESYS Development System environment, see: Certificates for CODESYS and PLC

To achieve good know-how protection, you should encrypt a project with a certificate and assign this certificate only to specific users in the user administration. To check authorship and integrity, you can also sign the project with a certificate.

Project encryption is set in the Project Settings – Security dialog. There you will also be directed through the certificate selection. The current project file encryption is displayed on the Security Screen of the Project tab.

Note

If the certificate has expired, then encryption is no longer possible, but decryption still works.

Encrypting a project with a certificate

  1. Click Project → Project Settings and then select the Security category.

    The Project Settings: Security dialog opens.

  2. Select the Encryption option.

    The Password, Dongle, and Certificates option fields are available.

  3. Select the Encryption option.

    The certificates available for project encryption are listed in the lower part of the dialog.

  4. If no certificate has been entered yet, then click _cds_icon_cert_store_open.png to open the Certificate Selection dialog. In this dialog, you can provide a suitable certificate from your local Windows Certificate Store. In the bottom list, select the certificate and use the _cds_icon_arrow_up.png button to move it to the top. If you want to deselect a certificate, then select it in the top list and click the _cds_icon_delete.png button.

    After clicking OK to confirm the dialog and thus returning to the Project Settings dialog, the certificate is now specified for encryption. Now the project can only be edited on computers of users who also have this certificate for decrypting the project files.

    You can now also see the certificate on the Project tab of the Security Screen.

Configuring a certificate for project file encryption in a user profile

When a project is encrypted with a certificate, this certificate is needed for decryption to open the project. You can assign this certificate to specific user profiles. To do this, select the certificate from the Windows Certificate Store on the User tab of the Security Screen.

  1. Make sure that the project is already encrypted with the certificate before you assign the certificate to a user profile. Otherwise the certificate will not be accepted in the following.

  2. In the status bar, double-click the _cds_icon_cyber_screen_grey.png symbol, or click the View → Security Screen command.

    The Security Screen view opens.

  3. On the User tab, select the user profile for which a decryption certificate should be configured. By default, the specified user profile is the one you have used on your computer to sign into Windows. You can also create a new user profile by clicking the _cds_icon_security_add.png symbol.

  4. In the Project file decryption area, click the _cds_icon_cert_store_open.png button.

    The Certificate Selection dialog opens.

  5. Select a certificate with a private key from the list Available certificates in the local Windows Certificate Store. Certificates with a private key are identified by the _cds_icon_cert_private_key.png symbol.

  6. Click the _cds_icon_arrow_up.png button.

  7. The certificate is added to the upper part of the dialog.

  8. Click OK to confirm your selection.

    The selected certificate is displayed in the Project file decryption area of the Security Screen.

Deleting a certificate in the user profile

You delete the certificate in the Security Screen view, either directly on the User tab or in the Certificate Selection dialog. The deletion will follow in the other dialog.

  • Security Screen dialog, User area, Digital Signature, or Project Data Decryption: Select a certificate and click the _cds_icon_delete.png symbol.

  • Certificate Selection dialog: In the Security Screen dialog, in the User area, click the _cds_icon_cert_store_open.png symbol. In the upper field of the Certificate Selection dialog, select the certificate to be deleted and click the _cds_icon_delete.png symbol.

Configuring a certificate for the digital signature in a user profile

To make sure that the project is not only encrypted with a certificate, but also that its authorship and integrity can be verified, you can add a signature to the project:

  1. In the status bar, click the _cds_icon_cyber_screen_grey.png symbol, or click the View → Security Screen command.

    The Security Screen view opens.

  2. On the User tab, select the user profile for which the digital signature should be created. By default, the specified user profile is the one you have used on your computer to sign into Windows. You can also create a new user profile by clicking the _cds_icon_security_add.png symbol.

  3. In the Digital Signature area, click the _cds_icon_cert_store_open.png button.

    The Certificate Selection dialog opens.

  4. Select a certificate with a private key from the list Available certificates in the local Windows Certificate Store. Certificates with a private key are identified by the _cds_icon_cert_private_key.png symbol.

  5. Click the _cds_icon_arrow_up.png button.

    The certificate is added to the upper part of the dialog.

  6. Click OK to confirm your selection.

    The selected certificate is displayed in the Digital Signature area of the Security Screen.

Signing a library project

For more information, see: Signing a compiled library

: