Encrypted Communication with Devices via Controller Certificates

Requirement: A digital signature for certificate exchange is configured. Refer to the standard CODESYS online help “Encryption and Signing with Certificates”.

We assume that the controller still has not certificate that is intended for encrypted communication. With the following steps, you generate this kind of certificate and encrypt communication:

  1. Configure the active path to the controlling device.

  2. Open the Security-Screen view by double-clicking the cf238b675a7bf97dc0a86463282f03ac_5404cf3bb8e18d57c0a864631504790f symbol in the status bar or by clicking View ‣ Security-Screen.

  3. Click the cf238b675a7bf97dc0a86463282f03ac_c7b88a40cf002a4bc0a8640e01d5317e button to update the list of available devices and their certificate store.

  4. Select the corresponding device entry on the left side.

    On the right side, there is still no license entry for the Encrypted Communication use case.

  5. Select Encrypted Communication on the right side and click the cf238b675a7bf97dc0a86463282f03ac_8221360e9d02a3d8c0a864635c0c376c button to generate a new certificate on the device.

    The certificate is generated and displayed in the table with its properties. The symbol before Encrypted Communication appears now as follows: cf238b675a7bf97dc0a86463282f03ac_8221360e9d02a3d8c0a864635c0c376c .

  6. In this step, you activate encrypted communication with the controller:

    Open the Security-Screen view from CODESYS (Users tab). Activate the option Force encrypted communication (Security level).

    As of now, communication with all controllers is possible only as long as the certificate is valid on the controller and you have a key for it.

    The connecting line between the development system, the gateway, and the controller is displayed in yellow in the Communication tab of the device editor of the controller.

    As an alternative to the option Force encrypted communication that was just described and applies to all controllers, you can also encrypt communication with a specific controller only. To do this, open the Communication tab in the device editor of the controller. In the drop-down list Device, click Encrypted communication.

  7. Then log in again to the controller.

    A dialog opens, prompting that the certificate of the controller is not signed by a trusted source. In addition, the dialog displays information about the certificate and prompts whether to install it as a trustworthy certificate in the local store in the “Controller certificates” folder.

  8. Confirm the dialog.

    The certificate is installed in the local store and you log in to the controller.

    In the future, the communication with the controller is encrypted automatically with this control certificate.

See also