Encrypting an Application¶

1. Select the application in the device tree.

2. Click Properties in the context menu.

   ⇒ The Properties - <application name> dialog opens.

3. Select the Encryption tab.

4. For Encryption Technology, select the Simple Encryption option and type the Product Code that you received from the hardware manufacturer for the PLC. Depending on the PLC, it is protected by a security key (firmcode is shown automatically) or for example an integrated Wibu SD card.

5. Click Online ‣ Login and download the application.

   ⇒ If the matching security key and/or valid license is available, then you can download the application to the PLC. By default, a boot application is automatically created at this time in the PLC directory. The default setting is defined in the application Properties, Boot application tab.

6. Logout, change the application, and login again.

   ⇒ You are prompted to perform an online change. The dialog provides the option of updating the boot application on the PLC. If the security key and license match, then you can log in. If not, then you receive a corresponding message.

1. Select the application in the device tree.

2. Select the Properties command in the context menu.

   ⇒ The Properties - <application name> dialog opens.

3. Select the Encryption tab.

4. On Encryption Technology, select the Encryption with certificates option.

   ⇒ The Certificates group is enabled.

5. If there are not any certificates listed in the table, then click the button.

   ⇒ The Certificate Selection dialog opens for selecting a certificate from the local Windows Certificate Store.

6. In the lower area, select a certificate and add it to the upper area by clicking the button, Click OK to confirm.

   ⇒ The certificate is shown in the Certificates group of the Encryption dialog.

7. Select the certificate and click Apply or OK.

   ⇒ The certificate is now used to encrypt the application. It can only be transferred to the controller on computers that have an corresponding key installed in the Windows Certificate Store.

1. Open the Security Screen view by means of the button in the status bar of CODESYS. Select a certificate with a private key for the Digital signature in a user profile. The procedure is described in the instructions “Configuring a certificate for the digital signature in a user profile”.

2. Double-click the certificate for the Digital signature in the User tab.

   ⇒ The Certificate dialog opens.

3. Select the Copy to file button in the Details tab.

   ⇒ The Certificate Export Wizard opens.

4. In the Export Private Key prompt, select the No, do not export the private key option.

5. For Export File Format, select the DER encoded binary X.509 (.CER) option.

6. In the next step, select a file name and the location for the certificate.

7. After the last step Finish, a message appears that the export was successful.

8. After successful export to CODESYS, open the device editor by double-clicking the controller in the device tree and selecting the Files tab for the file transfer.

9. On the right side of the dialog for Runtime, select cert/import as the Path.

10. On the left side of the dialog for Host, select the path in the file system where you saved the exported certificate and selected the certificate.

11. Click .

    ⇒ The certificate is copied to the cert/import folder.

12. Click the PLC Shell tab.

13. Type the command cert-import trusted <file name of the certificate.cer> in the input line of the tab and press the Enter key. Please note that the file name is specified with the extension .cer; otherwise the certificate is not imported successfully.

    ⇒ The certificate is created on the controller in trusted. With this certificate, the controller can test the integrity of the boot application.

14. Open the Security Screen by double-clicking in the status bar.

15. If you want that downloads, online changes, and boot applications of your project are always encrypted, then enable the Enforce signing of downloads, online changes and boot applications option in the User tab in the Security level group. To do this, the Enforce encryption of downloads, online changes and boot applications option also has to be enabled.

Requirement: You are connected to a controller.

1. Open the device editor by double-clicking the controller in the device tree, and select the PLC Shell tab.

   ⇒ The tab appears with a blank display window. Below that is a command line.

2. Type ? in the command line and press the Enter key.

   ⇒ All commands are listed in the display window.

3. Type the following command in the command line: cert-getapplist.

   ⇒ All used certificates are listed with information about components and availability with certificates.

4. If no certificate is available for the CmpApp component, then type the command cert-genselfsigned <Number of the Component in the applist>.

5. Click the Log tab and then the refresh button ().

   ⇒ The display shows whether or not the certificate was generated successfully.

6. Type in cert-getcertlist and press the Enter key.

   ⇒ Your own certificates are listed that can be used for encryption. The information Number and Key usage(s) are useful in the next step.

   Number: The number is specified as a parameter in the next step.

   Key usage(s): Data encryption means that this is a certificate of the controller for a download, online change, and boot application.

7. Export the required certificate by typing in the command cert-export own 0 and press the Enter key. 0 is the Number of the certificate with Key usage(s):Data encryption.

   ⇒ The display shows that the certificate has been exported to a cert directory.

8. Click the Files tab of the device editor.

9. Click the refresh button () in the right part of the dialog in Runtime.

   ⇒ The list of files and directories is refreshed.

10. Open the cert folder in the list and then the export subfolder.

11. In the left part of the dialog in Host, open the directory where the certificate of the controller will be loaded.

12. In the right part of the dialog, select the certificate that you have exported and click .

    ⇒ The certificate is copied to the selected directory.

13. In the file explorer, go to the directory where the certificate was copied and double-click the certificate.

    ⇒ The Certificate dialog opens and shows the information about this certificate.

14. Click the Install certificate button in the General tab.

    ⇒ The Certificate Import Wizard opens.

15. In the Certificate Import Wizard dialog, Certificate Store prompt, select the Place all certificates in the following store option and select the Controller Certificates folder.

    ⇒ The controller certificate is imported to the directory Controller Certificates and is now available for the encryption of downloads, online changes, and boot applications.

16. Open the Security Screen by double-clicking in the status bar.

17. If you want that downloads, online changes, and boot applications of your project are always encrypted, then enable the Enforce encryption of downloads, online changes and boot applications option in the User tab in the Security level group.

18. Open the Project tab and double-click the application in the area Encryption of boot application, download and online change.

    ⇒ The properties dialog of the application opens.

19. Click the Encryption tab, select Encryption with certificates in the Encryption technology drop-down list, and click .

    If the Encryption of downloads, online changes and boot applications option is selected in the Security Screen, then Encryption with certificates is already selected.

20. In the Certificate Selection dialog, select the corresponding certificate from the Controller Certificates folder and click .

21. Click OK to confirm the dialog.

    ⇒ The certificate is displayed in the properties dialog.

22. Confirm the properties dialog of the application.

    ⇒ The certificate is shown on the Project tab of the Security Screen in the Encryption of boot application, download and online change group.

    The boot application, download, and online change are encrypted.