Skip to main content

Renewing a Certificate

If the certificate for encrypted communication of the controller has expired (valid from "not before" until "not after"), you get a prompt with a corresponding message in CODESYS when you attempt to access the controller. For example, to renew the certificate, you can accept the expired certificate again and use it to connect to the controller.

Tip

Other clients as CODESYS which communicate encrypted with the controller (for example, PLCHandler) will typically not accept an expired certificate. Then a connection is no longer possible.

Tip

Certificates are displayed in different colors on the Security Screen depending on the remaining time.

The behavior of the application after the expiration of an X.509 certificate depends on how it is used:

  1. Communication: CODESYS Development System – PLC:

    When the certificate in the runtime system expires, a new self-signed certificate is automatically generated. As a result, communicate with the controller is always secure and encrypted so that you can update it or other certificates later, for example.

  2. Signed and encrypted boot project:

    These certificates remain valid even after expiration. The requirement for this is that the certificate was valid at the time of signing or encryption.

  3. WebServer and OPC UA server:

    After the certificate has expired, the operation of these servers is halted. Therefore, the certificate must absolutely be renewed before expiration in order to guarantee continuous operation. For more information, see below: Renewing the certificate before it expires

If you have created or imported a new certificate on the controller, then this new certificate will be available for you to accept the next time you log in.

For more information, see: Encrypting Communication with a Certificate and Changing the Security Policy

Renewing the certificate before it expires

You can generate a new certificate before the existing certificate expires so that encrypted communication can continue seamlessly.

The Security Screen of CODESYS Security Agent lets you create a new certificate on the Devices tab. As soon as a new certificate is available on the controller parallel to the one currently used, the new certificate will be offered by the controller at the next login attempt. All you need to do is accept it.

For instructions, see: Encrypted Communication with Devices via Controller Certificates

If no CODESYS Security Agent is available: Installing a controller certificate for encrypted communication via the PLC shell of the device editor

: