View: Security Screen – Devices

Devices and certificate store

Shows the individual devices as expandable nodes, each with the controller-specific certificate store below it.

For example, there are the following categories for CODESYS Control Win V3:

• Own certificates with the assigned private key to which you have access

• Trusted certificates created by a trusted certificate source

• Untrusted certificates that you defined specifically as not trusted

• Certificates in quarantine that do not fulfill the criteria of the categories above

: Refresh the display

: Select certificate and transfer from the PC to the PLC (download). The default dialog for selecting a file from the local file system opens. File type: *.cer, *.crt, *.der. The certificate is stored on the PLC in the Untrusted Certificates memory.

Ab CODESYS Control Version 3.5.18.0 also possible for the Own Certificates category: Import of a PKCS#12 container file (certificate + key), file type: *.p12, *.pfx. After you select the container file from the file system, the Import Certificate Container dialog opens where you have to specify the password which was assigned when the file was created. By default, this container cannot be exported from the PLC again afterwards. If you want to allow this, enable the The container may be re-exported from the device option.

If the active path to the controller is set and a device node is selected, then every use case for controller certificates is displayed on the right side.

• OPC UA Server: Encrypted communication over an OPC UA Server

• Encrypted Communication: Encrypted communication between the development system and the controller

• Encrypted Communication: Encryption of the boot application

• Web server: Encrypted communication with the web server

As long as a certificate is not available for one of these use cases, it is displayed with the icon as (not available).

When a certificate store is selected on the left side, all certificates in it are displayed on the right side with the following information:

Information: Use case; currently the controller component in question is displayed (example: CmpSecureChannel)

Created for: Name of the computer for which the certificate was created (example: MyLocalPC)

Created by: Name of the computer on which the certificate was created (example: MyLocalPC)

Valid as of: Date (example: 07/20/2017 15:09:29)

Valid until: Date (example: 07/20/2022 00:00:00. Depending on the remaining time of the certificate, the highlight color of the field changes: green -> yellow (two-thirds expired) -> orange (nine-tenths expired) -> red (expired). Note: When logging in to the controller, you get a warning when two-thirds or more of the validity period have expired. Then you can renew the certificate here in the Security Screen.

Thumbprint: Hash value from specific properties of the certificate for purposes of identification (example: 279e1a46b86bd636c8e6f19fd51c222469ec49a8)

Double-clicking a certificate entry opens the default Windows Certificate dialog. As a result, you can import a controller certificate into the Windows Certificate Store in the Controller Certificates folder, so that it is available for the encryption of boot applications, downloads, and online changes.

If multiple certificates are available for one use case, then the system follows the steps below to determine the certificate that is used:

• Certificate that was created directly by the user (currently not supported)

• Filtering of existing certificates by:

  • Subject (user of the certificate)

  • Key usage

  • Extended key usage

  • Valid time stamp

• Dividing of detected, valid certificates as "signed" and "self-signed"

• Filtering of signed certificates, and the self-signed certificates by the following criteria:

  • Longest validity period

  • Strongest key

Drag&Drop: Moving of the certificate to another certificate store of the same device

Double-clicking a certificate entry opens the default Windows dialog for displaying all certificate information.