Encrypting Communication with a Certificate and Changing the Security Policy
Tip
To encrypt and/or sign the application code first, see the following instructions: Encrypting and/or Signing the Boot Application.
The following instructions are for configuring and handling encrypted communication between the programming system and the PLC.
Requirement:
Encrypted communication with the controller and user management are enforced on the controller.
An individual password does not exist yet.
A certificate has not been installed on your computer and the connection to the controller has not been configured yet. The CODESYS Security Agent is installed.
In the device tree, double-click the controller.
The device editor opens.
Click the Communication Settings tab.
In the Device menu, make sure of the following:
The Encrypted Communication setting is enabled.
Accordingly, the Enforce encrypted communication option is anabled on the User tab of the Security Screen.
On the Communication Settings tab, click the Scan Network button.
Select a controller.
A dialog opens to notify you that the certificate of the device does not have a trusted signature for communication. You will be prompted whether to install this certificate as trusted in the local certificate management on your computer (Option 1) or accept a session only for this one (Option 2).
Important
A controller certificate installed in this way is valid for only 30 days. This gives you time for the following long-term solutions:
Create an additional self-signed certificate with a longer time period (for example, 365 days). You can do this on the security screen even if a certificate already exists. Alternatively, you could also use the PLC shell commands in the device editor.
See the two sections below:
"Configuring a controller certificate with a more long-term validity period for encrypted communication..."
Import a CA-signed certificate. This is currently only possible via the PLC shell commands of the runtime. The runtime system makes sure that at least one self-signed certificate is initially available so that encrypted communication is possible from the start. Then you can replace this certificate with a CA-signed one.
If you want to install the certificate, then select the Option 1 in Step 5 and click OK to confirm the dialog prompt.
The certificate is listed as trusted. After accepting the self-signed certificate for the first time, you can establish an encrypted connection with the controller again and again without further prompts.
A dialog prompt opens with the notice that a user management is required for the device, but it is not enabled yet. You are prompted to enable the user management if you want. The notice is displayed that in this case you need to create a new administrator account and then log in as this user.
Click Yes to close the dialog prompt.
The Add Device User dialog opens to create an initial device administrator.
Create a device user in order to edit the user management as this user. In this case, only the Administrator group is available. Define a Name and Password for the device user. The password strength is displayed. Note also the set options regarding a password change. By default, the password can be changed by the user at any time. Click OK to confirm.
The Device User Logon dialog opens.
Specify the credentials for the new device administrator which you defined in the previous step.
You are logged in on the controller. On the Users and Groups tab, you can click the
button to switch to synchronized mode. The device user management is displayed there and you can edit it.After you click OK to confirm, the device user management is displayed in the editor view. It contains the user of the Administrator group who you just defined. The name of this user is also displayed in the taskbar of the window as Device User.
Tip
When you are logged in as the device user of the Administrator group which you have just created, you can create additional users and groups.
All saved controller certificates (from Step 6) are stored in the local Windows Certificate Store on your computer. You can access this memory by means of the
certmgr.msccommand in the Windows Run dialog.All registered certificates for encrypted communication with controllers are listed here in Controller Certificates.
Requirements: You have installed the CODESYS Security Agent. You want to replace a temporary certificate which you had created when you first connected to the protected controller with a certificate with a longer validity period.
In this case, the Security Screen view provides an additional tab: Devices. This allows for the simple configuration of certificates for the encrypted communication with controllers. See the help at CODESYS Security Agent: Encrypted Communication with Devices via Controller Certificates.
Choose this less convenient method if you do not have the CODESYS Security Agent. In this case, you can set up a certificate with a longer validity period for communication encryption on the PLC Shell tab in the device editor.
Requirement: You are connected to the controller.
At first, you check if a qualified certificate is already on the controller. If no certificate is available, then you create a new certificate.
In the device tree, double-click the controller to open the device editor. Select the PLC Shell tab.
The tab is displayed with an empty window. Below that is a command line.
In the command line, type in the
cert-getapplistcommand.All used certificates are listed. The list includes information about the runtime component and whether or not the certificate is available.
If a certificate still does not exist for the component
CmpSecureChannel, then type the following command in the input line:cert-genselfsigned <number of the component in the applist>Otherwise, go directly to Step 5.
Click the Log tab and then click the refresh button (
).The display shows whether or not the certificate was generated successfully.
Change back again to the PLC Shell tab and type the command
cert-getapplist.The new certificate for the component
CmpSecureChannelis displayed.In the next two steps, enable encrypted communication on the security screen of CODESYS.
In the status bar, double-click the
button to open the Security Screen.On the User tab, select the Enforce encrypted communication option in the Security Level group.
The communication to all controllers is encrypted. If there is not a certificate on a controller, then you cannot log in to it.
The connecting line between the development system, the gateway, and the controller is displayed in yellow on the Communication Settings tab in the device editor of the controller.
As an alternative to the Enforce encrypted communication option which applies to all controllers, you could also define encrypted communication for specific controllers only. To do this, select the Communication Settings tab in the editor of the respective controller. Then click Encrypted Communication in the Device list box.
The communication with this controller is encrypted. If there is not a certificate on the controller, then you cannot log in to it.
The connecting line between the development system, the gateway, and the controller is displayed in yellow on the Communication Settings tab of the device editor of the controller.
When you log in to the controller for the first time, a dialog opens with information that the certificate of the controller is not signed by a trusted authority. In addition, the dialog displays information about the certificate and prompts for you to install it as a trusted certificate in the local
Windows Certificate Storein the Controller Certificates folder.When you confirm the dialog, the certificate is installed in the local store and you are logged in to the controller.
In the future, communication with the controller will be encrypted automatically with this controller certificate.
To increase security for key exchange for controllers < V3.5.13.0, you can generate Diffie-Hellman parameters on the controller. To do this, type the command
cert-gendhparamsin the input line.This is no longer required for controllers >= V3.5.13.0.
Important
Caution: Generating the Diffie-Hellman parameters can last for several minutes or even several hours. However, this process only needs to be executed one time for each controller. The Diffie-Hellman parameters increase security for key exchange and for future attacks against encrypted data sampling.
Tip
Remember that not every controller supports the deactivation of encrypted communication.
Important
We strongly advise against disabling encrypted communication. Especially in connection with an enabled user management, encrypted communication should be enabled so that credentials do not fall into the wrong hands.
Requirement: The connection to the device is established. The device supports encrypted communication.
In the device tree, double-click the controller.
The device editor opens.
Click the Communication Settings tab.
Open the Device menu in the header of the editor. Click the Change Runtime Security Policy command.
The Change Runtime Security Policy dialog opens.
In the Communication area, you can choose between the settings Optional encryption, Enforced encryption (recommended), and No encryption.
When the Encrypted communication option is selected, the connection line between the development system, the gateway, and the device is highlighted in the editor in bold and in color in the graphical representation.
In the lower part of the dialog, in the Device User Management area, you can toggle between the Optional user management and Enforced user management settings.
Tip
As an alternative to the Change Runtime Security Policy dialog in the device editor, you could also enable/disable the Enforce encrypted communication setting on the Security Screen.