Encryption of the Boot Application, Download, and Online Change

Aim: You want to encrypt boot applications, downloads, and online changes with a certificate to make sure that the application on the controller cannot be exchanged at will. To do this, you need to download a corresponding certificate of the type "Encrypted Application" from the controller and install it to the "Windows Certificate Store" of your computer. This certificate is required for all development environments that need to make changes to the application on the controller. For example, if this application has to be downloaded from another computer, then the certificate also has to exist on this computer.

See also

Encrypting the boot application, download, and online change with the encryption wizard

Requirement: The active path to the controller is configured.

  1. Open the Properties dialog of the application.

  2. Click the Encryption tab. Set Encryption Technology to Encryption with certificates.

    ⇒ The Encryption Wizard button is available in the Certificates field.

  3. Click the Encryption Wizard button.

    ⇒ The Encryption Wizard dialog opens. The status is Not connected and under Details is Ready.

  4. Click the Start button.

    ⇒ The wizard searches for suitable certificates on the controller. If necessary, the controller creates a new certificate which is registered in the Certificate Store of your computer.

    NOTE: A certificate obtained this way is automatically accepted as trusted.

    If a certificate for application encryption already exists on the controller, then it is used.

    If a new certificate has to be created on the controller for your CODESYS, then the Certificate Settings dialog opens for configuring the key length for the private key and the validity period.

  5. In the Certificate Settings dialog, click OK to confirm the default or edited values for key length and validity period.

    ⇒ CODESYS saves the values in the CODESYS options as the default for the next certificate configuration of this kind.

    In the Details of the wizard, you see a description of the performed actions and the thumbprint of the recently created certificate.

  6. When the status reaches Wizard finished, close the wizard.

    ⇒ The new certificate is listed in the Certificates field of the properties dialog. In the Certificate Store, it is listed under Controller Certificates. In the Security Screen view, on the Devices tab, the certificate is displayed in the right window with the Encrypted Application information.

  7. Confirm the Properties dialog of the application.

  8. Open the Security Screen view.

    ⇒ On the Project tab, in the Encryption of boot application, download and online change group, the certificate is displayed with the Encrypted Application information.

    Boot application, download, and online change are therefore encrypted and only possible as long as the configured certificate and signature are valid.

See also

Encrypting the boot application, download, and online change without the encryption wizard

Requirement: The active path to the controller is configured. There is still no certificate on the controller that is suitable and valid for encryption.

  1. Open the Security Screen view by double-clicking the symbol in the status bar or by clicking View ‣ Security Screen . Open the Devices tab.

  2. Click the Refresh the list of available devices and their certificate stores button.

  3. Select the device listed on the left side.

  4. Select Encrypted Application on the right side and click the Create a new certificate on the device button.

    ⇒ The certificate is created and listed in the table with the symbol.

  5. Double-click the certificate entry.

    ⇒ The Windows Certificate default dialog opens.

  6. Click the Install certificate button on the General tab.

    ⇒ The Certificate Import Wizard opens.

  7. In the Certificate Store dialog, select the Place all certificates in the following store option and select the Controller Certificates folder for Certificate Store.

    ⇒ The controller certificate is imported to the Controller Certificates directory and it is immediately available for the encryption of downloads, online changes, and boot applications.

  8. Open the Project tab and double-click the application entry in the Encryption of boot application, download and online change group.

    ⇒ The Properties dialog of the application opens.

  9. Click the Encryption tab and set Encryption Technology to Encryption with certificates. Then click . Note: If the Enforce encryption of downloads, online changes and boot applications option is selected in the Security Screen, then Encryption with certificates is already preset.

  10. In the Certificate Selection dialog, select the corresponding certificate from the Controller Certificates folder and click .

  11. Click OK to confirm the dialog.

    ⇒ The certificate is displayed in the properties dialog.

  12. As above when using the wizard, steps 7 and 8.

Enforcing the encryption of boot applications, downloads, and online changes

  1. Open the Users tab in the Security Screen. In the Security level group, select the Enforce encryption of downloads, online changes and boot applications option.

    ⇒ Only with a valid certificate is it possible to change the application on the controller.

See also

  • CODESYS Help: "Security-Screen"

1.1.0.0

© Copyright 2021, CODESYS GmbH