Requesting and Providing CA-Signed Certificates via the PLC Shell
It is currently only possible via the PLC shell of the device editor to create a CSR for a PLC certificate.
Important
When creating a CSR (Certificate Signing Request), the PLC adds all required X509 extensions to the certificate signing request. As a result, a certification authority (CA) may add some extensions, but may not omit the existing extensions. If the extensions of the CSR do not exist in the signed certificate, then it cannot be used by the PLC.
Note that the CA-signed certificate has applied the following entries from the CSR: Key Usage, Extended Key Usage, Subject Alternative Name, each with the Critical flag.The following extensions must be included in the CSR: Key Usage, Extended Key Usage, Subject Alternative Name, each with the Critical flag.
First, you generate a certificate request for all required certificates or components (
CSR=Certificate Signing Request). These can also become client certificates (for example, for the OPC UA client). To do this, click the PLC Shell tab of the controller. In the input line, type in thecert-createcsrcommand.Syntax:
cert-createcsr [<number retrieved by \"cert-getapplist\">] [encoding=Base64 | ASN.1]<number retrieved by \"cert-getapplist\">Optional: Specify the number of a single component from the output of
cert -getapplist. If not specified, certificates are generated for all generated components.encoding=Base64 | ASN.1Optional: Specify the export format (default setting:
ASN.1).ANS.1: Binary file format for certificates, CSR, and asymmetric keys.Base64: Textual representation of ASN.1 data, based on Base64 encoding.Note
The file format may be specified by CAs. Then the CSR is automatically generated in the correct format.
Otherwise, lossless conversion of one format to the other is also possible. For example, OpenSSL can be used to do this:
openssl req -in <file name> -inform <DER|PEM> -out <file name_new> -outform <PEM|DER>DERcorresponds to ASN.1;PEMcorresponds to Base64.Click the Log tab and then click the
refresh button.In the log entries, you can see that the CSR files were generated.
Click the Files tab and open the file path
cert/exportin the right side of the Runtime dialog.The
exportfolder contains the generated CSR files.Example:
0_CmpsecureChannl.csr, 1_CmpApp.csr, 2_CmpWebServer.csrSelect a file path where you want to insert the CSR files in the left side of the Host dialog, mark the CSR files in the right side of the dialog, and click
.The CSR files are copied to the required folder.
These certificate requests can be signed by a certificate authority (CA). As a result, you get a certificate signed from the certification authority.
In the steps that follow, you import these signed certificates to your controller.
Note
After restarting the controller, the CA-signed certificates are used automatically.
Tip
Alternatively, you could also use the 0_Global: Produkt Security Agent to transfer the certificates to the controller. For more information, see: CODESYS Security Agent
Select the Path
cert/importin the right side of the Runtime dialog.In the left side of the Host dialog, select the path in the file system where you saved the signed certificates and selected the certificates.
Click
.The certificates are copied to the
cert/importfolder.Click the PLC Shell tab.
Type the
cert-import own <file name of the certificate.cer>command in the input line of the tab and press the Enter key.The signed certificates are available to the runtime servers.
Note
In the configuration file of the controller (for example, CODESYSControl.cfg), the name of the organization can be set in the certificate for an OPC UA server with the following entry:
[CmpOPCUAServer]
SECURITY.CompanyOrOrganizationName="<organization name>"
If the CODESYS Security Agent is installed, then it is also possible to edit the Communication Settings on the communication settings tab of the device editor.