Encrypting Boot Applications with Certificates

Aim: You want to encrypt the boot application with a certificate from the controller in order to make sure that it cannot be exchanged. To do this, a corresponding certificate must be created on the controller and installed in the Windows Certificate Store of your computer.

Requirement: The active path to the controller is configured. A digital signature for certificate exchange is configured. Refer to the standard CODESYS online help “Encryption and Signing with Certificates”.

  1. Open the Security-Screen view by double-clicking the ce8ae0255ae491a3c0a864636a32e09f_5404cf3bb8e18d57c0a864631504790f symbol in the status bar or by clicking View ‣ Security-Screen.

  2. Click the button Refresh the list of available devices and their certificate store.

  3. Select the device entry on the left side.

  4. Select Encrypted Application on the right side and click the button Generate a new certificate on the device.

    The certificate is created and listed in the table with the ce8ae0255ae491a3c0a864636a32e09f_3b2c2d7ac2a3e6adc0a8646361ecf442 symbol.

  5. Double-click the certificate entry.

    The default Windows Certificate dialog opens.

  6. Click the Install certificate button in the General tab.

    The Certificate import assistant opens.

  7. In the Certificate memory dialog, select the option Save all certificates in the following memory location, and then select the folder Controller Certificates as the Certificate memory.

    The controller certificate is imported to the directory Controller certificates and is now available for encryption of download, online change, and boot application.

  8. Follow the steps below if you want the boot application of your project, as well as downloads and online changes, to always be encrypted.

  9. Open the Users tab in the Security-Screen. Activate the option Force encryption of downloads, online changes, and boot applications in the Security-Level area.

  10. Open the Project tab and double-click the application entry in the are Encryption of boot application, download, and online change.

    The Properties dialog of the application opens.

  11. Select the Encryption tab and select Encryption with certificates as the Encryption technology. Then click ce8ae0255ae491a3c0a864636a32e09f_c1a16a6fc1f6c198c0a8646360139b74 . Note: If the option Force encryption of downloads, online changes, and boot applications is activated in the Security screen, then Encryption with certificates is already preselected.

  12. In the Certificate selection dialog, select the corresponding certificate from the Controller certificates folder and click ce8ae0255ae491a3c0a864636a32e09f_7ff519bdc2da7f64c0a8646309ebcbd8 .

  13. Click OK to confirm the dialog.

    The certificate is displayed in the properties dialog.

  14. Confirm the Properties dialog of the application.

    The certificate is displayed in the Security screen view (Project tab, Encryption of boot application, download, and online change): The boot application, download, and online change are encrypted.

  15. Now transferring the boot application, download, and online change are possible, as long as the certificate configured for it and the signature are valid.

See also