Working with the SecurityFramework

For PLCnext Technology Toolchain 2025.0 and 2025.6

The PLCnext Engineer software suite has implemented from its 2025.0 releases on a new security feature which provides an option to check libraries for trusted signatures.

This feature can also be addressed with libraries developed by means of an IDE because the PLCnext Technology Toolchain now contains the SecurityFramework to verify or add those signatures by means of PLCnext CLI, the Visual Studio® extension, or the Eclipse® add-in.

Tip: Special terms used in this topic are explained at Glossary & abbreviations for this topic

Installing the SecurityFramework

The SecurityFramework.Cli.exe is installed next to the plcncli.exe and then available within the terminal. 

Under Linux®, this tool is named SecurityFramework.Cli. With the Windows® installation, the path is set automatically. But when installing the Linux® version the path must be set manually (see Installing the toolchain).

For standalone use just call SecurityFramework.Cli.exe --help from the command line.

Verifying a signature by means of PLCnext CLI 

Security Note:
In addition to the signature validation, check the version of the PLCnext Engineer library (*.pcwlx) for correctness.
  • To verify a signature of a previously signed file by the PLCnext Technology Toolchain build, call this command:
    SecurityFramework.Cli.exe verify --signature .\signatureT.p7s --inputFile .\integrity.xml --conformance Automatic --trustedCertificates ".\codeSigningRootCa.pem"
  • For more information (especially in case of failures) add --outputFile "log.txt" to get a detailed log.

Adding a signature to a PLCnext Engineer library...

Known Issues

Known for PLCnext Technology Toolchain releases 2025.0 and 2025.6:

Only PKCS#1 PEM files are supported. This can be achieved with the -traditional flag when generating a private key with openssl, e.g.:
openssl genrsa -aes256 -traditional -out privatekey.pem 2048

Known for PLCnext Technology Toolchain releases 2025.0 and 2025.6:

The naming of the --publickey parameter at the plcncli deploy command is misleading: It just takes the certificate file whereas the --certificates parameter takes the whole certificate chain.
In a development environment with a self-signed certificate, both parameters would take the same certificate file. Therefore, the parameter names will be adapted with the 2026.0 toolchain release, and the certificate chain parameter will become optional.

...by means of PLCnext CLI

To add signatures to PLCnext Engineer libraries via command line, the plcncli deploy command needs additional parameters.

The following decisions and information are needed:

  1. Add the --sign parameter to activate signing in general.

  2. Add private key, certificate and certificate chain from the signing authority;
    this can be done by either adding a PKCS#12 archive with --pkcs12 <path to pkcs12>,
    or in separate steps:

    • Add the private key (PEM format): --privatekey <path to privatekey>
    • Add the certificate (PEM format): --publickey <path to certficate> 
      (Note: This parameter will be renamed. Read the second Known Issue above)
    • Add certificate chain files (PEM format): --certificates <path to certificate chain>,<path to further optional *.crt/*.pem> 
      (Note: As of now, this parameter must be present. In case no certificate chain is to be provided, just repeat the path to the certificate file. Read the second Known Issue above.)

  3. Optional: Add the --password <your private key password> parameter.
    If not set, the command line will request the password when required.

  4. Set either --notimestamp if the signature can be just CAdES-B, or --timestamp for a CAdES-T signature.
    If you want to sign with CAdES-T, an additional timestamp configuration file is necessary and the --timestampconfiguration <path to timestampconfiguration file> parameter needs to be set.
Security Note: For releases of the library always use unique and strictly monotonically increasing version numbers. 

...by means of Visual Studio®

  • To configure the signing of a library in Visual Studio®, right click on your project in the Solution Explorer, select PLCnext TechnologyProject Configuration.
  • Switch to the Signing tab and make your choices:
    • Signing can be activated or deactivated; to use a signature with your project, tick the Sign Library mark.
    • There are two options to provide the necessary files:
      • The first option is a PKCS#12 Container, this contains a public and a private key to sign and a (derived) certificate of the issuing certificate authority.
      • The second option is to provide these files in the PEM format file by file.
    • Both the PKCS#12 container or the private key file in PEM format can be protected by a Password....
      This password is stored for the user per project and will be protected by the default Visual Studio® mechanism.
    • The last option is to add a timestamp configuration file for a CAdES-T signature.
      Visual Studio signing GUI
Security Note: For releases of the library always use unique and strictly monotonically increasing version numbers. This can be set in the General tab.

...by means of Eclipse®

  • To configure the signing of a library in Eclipse®, open the project properties, select PLCnext TechnologyPLCnext Signing
  • Make your choices:
    • Signing can be activated or deactivated; to use a signature with your project, tick the Sign Library mark.
    • There are two options to provide the necessary files:
      • The first option is a PKCS#12 Container, this contains a public and a private key to sign and a (derived) certificate of the issuing certificate authority.
      • The second option is to provide the separate files in the PEM format.
    • Both the PKCS#12 container or the private key file in PEM format can be protected by a Password....
      This password is stored for the user per project and will be protected by the default Eclipse® mechanism.
    • Another option is to add a timestamp configuration file for a CAdES-T signature.
      Eclipse signing GUI
Security Note: For releases of the library always use unique and strictly monotonically increasing version numbers. This can be set in the PLCnext Configuration tab.

Reference

Certificate configuration for signing and verifying

To ensure proper validation of CA certificates and entity certificates, follow these guidelines:

CA Certificate Validation

  • Certificate Version:
    • Ensure the certificate is X.509 version 3.
  • Key Usage: The certificate must have the following key usages:
    • keyCertSign (Value 5): Allows the key to sign other certificates.
    • cRLSign (Value 6): Allows the key to sign certificate revocation lists (CRLs).
  • Critical Key Usage: Ensure the Key Usage extension is marked as critical.
  • Extended Key Usage Presence: If the certificate has the Extended Key Usage extension, validate against expected key purposes such as:
    • AnyExtendedKeyUsage (optional)
    • id_kp_serverAuth (optional)
    • id_kp_emailProtection (optional)
    • Depending on the usage of the certificate, check:
      • id_kp_codeSigning (mandatory) or
      • id_kp_timeStamping (mandatory)

Entity Certificate Validation

  • Certificate Version
    • Ensure the certificate is X.509 version 3.
  • Key Usage:
    • The certificate must have the key usage digitalSignature (Value 0); this allows the key to create digital signatures.
    • The certificate must not have the key usage keyCertSign (Value 5) or cRLSign (Value 6).
  • Critical Key Usage: Ensure the key usage extension is marked as critical.
  • Extended Key Usage: Validate against expected key purposes, such as:
    • AnyExtendedKeyUsage (optional)
    • id_kp_serverAuth (optional)
    • Depending on the usage of the certificate, check:
      • id_kp_codeSigning (mandatory) or
      • id_kp_timeStamping (mandatory)

Glossary & abbreviations for this topic 

  • Signature Types:
    • CAdES-B: Basic signature that ensures the integrity and authenticity of the signed data. It does not include a timestamp.
    • CAdES-T: Timestamped signature that includes a timestamp from a trusted timestamp authority, providing proof that the signature existed at a specific time.
  • Conformance: Defines the verification process based on signature type and timestamp. It includes:
    • Signed: Conformance check using the current UTC DateTime (CAdES-B signature Type).
    • SignedWithTimestamp: Conformance check using the provided timestamp (CAdES-T signature type).
    • Automatic: The system decides whether to use the provided timestamp's (if available), or defaults to the current UTC DateTime.
  • Digest Algorithm: Cryptographic hash functions. Supported algorithms are:
    • SHA256
    • SHA384
    • SHA512
  • Signature Algorithm: Digital signature methods. Supported algorithms are:
    • RSA
    • RSAPSS: an RSA variant with a probabilistic signature scheme
    • ECDSA: using elliptic curve cryptography

CAdES-T: Timestamp Configuration File 

The timestamp configuration file is needed, if the signature should be of type CAdES-T.

  • All information necessary for accessing a time server must be put in this configuration file.
  • The TimeStampServerCredentials are optional.
  • The Proxy is optional, and – if not configured – the system defaults are used.

Example:

{
  "TimestampServer": "http://test.com",
  "TimeStampServerCredentials": {
    "UserName": "userName",
    "Password": "pwd",
    "Domain": "domain"
  },
  "Proxy": {
    "Address": "http://test.com:8080",
    "BypassOnLocal": true,
    "BypassList": [
      "bypass1",
      "bypass2"
    ],
    "Host": "test.com",
    "Port": 8080,
    "IsDefault": false,
    "ProxyCredentials": {
      "UserName": "proxyUserName",
      "Password": "proxyPwd",
      "Domain": "proxyDomain"
    }
  },
  "DigestAlgorithm": "SHA256",
  "SignatureAlgorithm": "Rsa"
}

 

See Also

  1. Installing the toolchain
  2. Toolchain changelog
  3. Installing IDE plug-ins
  4. Tools
  5. Using the PLCnext CLI
  6. Managing SDKs
  7. Template system

 

 

• Published/reviewed: 2025-10-15  ☂  Revision 085 •