Web-based Management 2:
Security - Certificate management

Valid from firmware release 2025.0 - for earlier firmware see WBM - Certificate authentication

Please note the guidelines in our PLCnext Technology ‑ Security Info Center.
For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.

The Certificate management page is used to manage certificates for secure controller communication. You need some background knowledge on the terms that are used in this context and the data to provide with the certificate. 

For a thorough explanation of the certificate-based authentication, read the Certificates section in the Industrial Security Guideline of the PLCnext Technology ‑ Security Info Center.

General management of stores

Trusted certificates and revocation lists of possible communication partners are displayed on the TRUST STORES tab. 
Your own certificates are displayed on the IDENTITY STORES tab. 

The sections are ordered alphabetically by their names.

Naming of stores

Use only the following characters when naming TRUST STORES and IDENTITY STORES:

• letters [a - z] [A - Z]
• numbers [0 - 9]
• hyphen [ - ]
• underscore [ _] 

They can be used with the interfaces for TLS communication, e.g., TLS_SOCKET block in IEC 61131‑3, or TlsSocket class in C++ or C#. Note: The naming is case-sensitive!

Location of stores

For information about the location of certificates on the controller's file system, refer to Directories of the firmware components.

Trust Stores

A certificate to add to a Trust Store consists of the certificate itself, and optionally a certificate revocation list (CRL) that is checked for evaluation. Therefore, each Trust Store has a complete set of folders.

On devices of the first generation of PLCnext Control devices, such as AXC F x152, RFC 4072S:

• /opt/plcnext/Security/TrustStores/<name>/trusted – The directory contains CA certificates that are trusted.
• /opt/plcnext/Security/TrustStores/<name>/trusted/crl – The directory contains files with CRLs for the CA certificates.
• /opt/plcnext/Security/TrustStores/<name>/issuer – The directory contains CA certificates that are not automatically trusted but that are necessary for creating a certificate chain.
• /opt/plcnext/Security/TrustStores/<name>/issuer/crl – The directory contains files with CRLs for issuer certificates.

On Secure-by-default devices launched 2025 or newer, such as VPLCNEXT CONTROL 1000 (same purpose as above):

• /opt/plcnext/config/System/security/TrustStores/<name>/trusted
• /opt/plcnext/config/System/security/TrustStores/<name>/trusted/crl
• /opt/plcnext/config/System/security/TrustStores/<name>/issuer
• /opt/plcnext/config/System/security/TrustStores/<name>/issuer/crl

By default, these entries are already set up as Trust Stores in a PLCnext Control device:

• Code Signing (Upload the certificate used to sign the PLCnext Engineer project here if this feature has been enabled in the Security → Project integrity WBM 2 page. ) 
• Empty (reserved for internal processes; therefore this entry cannot be edited or deleted via the WBM 2)
• OPC UA-configurable
• Phoenix Contact Device Root
• Proficloud (reserved for Proficloud services)

For a thorough explanation of the certificate-based authentication, read the Certificates section in the Industrial Security Guideline of the PLCnext Technology ‑ Security Info Center.

These are the steps to manage Trust Stores:

• Check if the default stores suit your purpose; if necessary,  add,   remove, or  edit a Trust Store.

These are the steps to provide certificates and/or certificate revocation lists (CRLs):

• Click the  button to open the regarding Trust Store section; there you can  add,   remove, or  view a certificate and/or CRL.
• To  add a certificate and/or CRL, choose the type in the dialog box:
  You can either upload a certificate as a .pem file (Base64 format), or paste the content of the certificate as a text string in PEM Base64 format.

Identity Stores

On the IDENTITY STORES tab, you can create and manage different Identity Stores. 

By default, these entries are set up as IDENTITY STORES:

• IDevID (reserved for internal processes; therefore this entry cannot be edited or deleted via the WBM 2)
• HTTPS-self-signed
• OPC UA-self-signed
• Proficloud (reserved for Proficloud services)

Each Identity Store usually contains an RSA key pair and the corresponding key certificate. As an option, you can add further issuer certificates to an Identity Store. The IDevID and OPC UA-self-signed Identity Stores are part of the system and supplied with the controller. 

For a thorough explanation of the certificate-based authentication and, read the Certificates section in the Industrial Security Guideline of the PLCnext Technology ‑ Security Info Center.

Read more about Pre-shared keys (PSK) and private/public key pairs in the Keys section of the Industrial Security Guideline in the PLCnext Technology ‑ Security Info Center.

These are the steps to manage Identity Stores:

• Check if the default stores suit your purpose; if necessary,  add,   remove, or  edit an Identity Store.

These are the steps to provide certificates and/or key pairs:

• Click the  button to open the regarding Identity Store section; there you can and   view,  download, or  edit a certificate and/or key pair.
• To  edit a  Certificate in the dialog box, choose the source in the dialog box:
  • If you choose to enter a certificate, you can either upload it as a .pem file (Base64 format), or paste the content of the certificate as a text string in PEM Base64 format.
  • If you choose to generate a certificate signing request (CSR), you are downloading the generated file to request an X.509 certificate from a certificate authority (CA).
• To  edit a  Key Pair in the dialog box, choose the source in the dialog box:
  You can either upload a key pair as text or file, or choose a suitable encryption method to generate a new key pair, that is added to that Identity Store.

Note: If a hardware-protected key pair has been generated, then an additional private key named tpmkey.pem is present that links the certificate to this specific device.

Downloading public keys or key certificates

You can download the content of the public key of a key pair as a .pem file that is to be used on the corresponding Trust Store of a communication partner:

• If a key pair is available, you can download it as a .csr file.
• If a key certificate is available, you can download it as a .crt file.