ContentHub
OPC_UA_5_Zertifikate_Applikativ_Importieren_20260212_916_EN.mp4
1 views
View transcript
Hello. In this WAGO tutorial, we demonstrate the option of uploading certificates via a CODESYS application. When using security certificates in automation technology, you always face the challenge that certificates have an expiry date. There are no security certificates that can be used indefinitely. As a result, at some point during the lifecycle of a machine or system, you will eventually need to import new certificates. And this is precisely where uncertainties often arise: Which certificates belong where? Does the system need to be stopped? What if the operators don’t have access to CODESYS as a development environment? This means you need to think carefully about certificate management. One component could be implementing the whole process within the application itself – for example, providing the option for a certificate update through a visualisation interface. In this video, we show the core of such a solution: a CODESYS application that automatically copies newly uploaded certificates into the correct target structures. This is necessary because, without CODESYS, we have no access to the folders in which CODESYS requires the certificates. These are the folders accessible via the Security Screen – CODESYS refers to this area as the Security Store. Here, we focus purely on the import of certificates and on how they are moved into the correct folders. The visualisation created in the project is very basic. In principle, the programme is functional, but for a real-world system, quite a bit of additional programming work is required to seamlessly integrate it into a machine. Since there are countless ways to implement and visualise this, we limit ourselves here to the core function of the import. This is not a one‑to‑one template, but rather a core function describing one possible method that provides a solid basis for further work. A download link for the programme can be found in the video description. First step: getting the certificates onto the controller. There are two ways to do this. The first option is to upload them via the Web-Based Management. Under the Security tab, the Certificates menu is available — simply select the required certificates and keys and upload them. The storage folder on the controller is shown at the top. We want to verify this, so we connect to the controller using an FTP client — which already brings us to the second method for uploading certificates, namely transferring them directly via FTP. We switch to the directory etc/certificates/, and the certificates and key are displayed. So we have successfully uploaded the certificates onto the controller. Now we face the problem that CODESYS cannot access this folder. Conversely, with the FTP client we do not have permission to copy certificates into the correct folder. So in our application, we need to apply a small trick to access the certificates. Therefore, we now switch to CODESYS and show an approach for how to implement this within a CODESYS programme. In CODESYS, first, we open the Security Screen, and the folders “Own Certificates” and “Trusted Certificates” are empty. Then we start the controller and open the visualisation. By pressing Start, the uploaded certificates are read out. We now tick the boxes to determine in which folder each certificate should be stored. Our controller is the server, so it requires the server certificate in the Own folder. The client certificate and the Root CA must be placed in the Trusted folder. A key always goes into the Trusted folder, so we simply have an option to select whether it should be imported as well. Once all checkboxes are set, we use the Move to Store button to move the certificates into the Security Store — the final storage area for active certificates. This means that when we look at the Security Screen again, the certificates are displayed, and we have imported them without using CODESYS as a development environment. Now let’s look step by step at the programme behind this CODESYS provides several methods for certificate handling, and to use them, a whole range of libraries is needed. This list is also included in the video description. In the PLC PRG, we call two programmes: the programme for reading the certificates (Reed Certificates), executed by the Start button, and the programme Insert Certificates, executed by the Move to Store button. Both programmes use an enumeration in which the individual required steps are listed. The Read Certificates programme begins with an area where the checkboxes from the visualisation are evaluated and the respective indices are assigned. In the first initialisation step, we create a symbolic link. As mentioned earlier, we have no “external” access to the temp folder, and since firmware version 26, CODESYS no longer grants access to the ETC folder. The symbolic link solves precisely this problem by linking both directories. Next, we check whether the folders exist and store the directory path. We then read out the folder and store each certificate in an array. Since the certificate names always begin with the path prefix Root://, we need to remove this prefix. We perform the same process for the key, except here we search for the “.DER” file extension, whereas certificates have the “.CER” extension. Then we prepare everything for the transfer into the store — once for the Own store, below that for the Trusted store, and again for the key. The method is the same in all three cases: first we count the number of selected checkboxes and collect the corresponding certificates in an array. This prepares everything for transferring the certificates. The Insert Certificates programme is executed via the Move to Store button. The initialisation step here is only a placeholder. We jump directly to the second step, where the directories are passed — first for the certificates, then for the key. Up to this point, we have managed all with the standard tools of a CODESYS installation. Now we need the special libraries for X509 certificates. CODESYS provides several methods here: first a function to initialise the structure, then one to read general certificate information. Next, the store is opened. Then the certificates destined for the Own store are filtered and moved. The same is done for those that need to go into the Trusted store. With this, the basic function is complete. However, for a real system, the programme must be significantly expanded. For example, this programme simply stops in the step sequence without any message if a certificate already exists in the Security Store. You would first need to implement a check to determine whether the folder is empty and, if necessary, delete the existing certificate. Or check whether it is still valid and then offer an option to delete it - or - perhaps - only show an error message? Since there are many possible approaches for further implementation, going deeper here would exceed the scope and probably wouldn’t match a specific application use case. Therefore, we leave it at this single function, focusing on the fundamental methodology. CODESYS provides an extensive set of functions for everything else in the library “CmpX509 Cert Implementation”, allowing you to create a robust, fully functioning and cleanly programmed solution. Further information can also be found on the CODESYS Help Me page, consolidated under the search term x509. A link is included in the video description. This brings us to the end of the tutorial in which we demonstrate one method of uploading certificates via a CODESYS application. Feel free to give us a thumbs‑up if the video was helpful, subscribe to the channel, and contact the WAGO Support Centre if you have any further questions.