Signing PLCnext Control Function Extensions and PLCnext Control Solutions

The following information on signing relates to PLCnext Control Function Extensions and PLCnext Control Solutions, hereinafter referred to as "apps" for short.

From firmware version 2026.0 LTS, you must sign your apps so that the user can install them on their device. The installation of apps from unknown sources on a PLCnext Control is prevented.
With firmware versions earlier than 2026.0 LTS, app signatures are ignored.

By default, the firmware is set so that users can only install apps with a developer signature and a PLCnext Store signature. As a developer, you provide your app with your developer signature; the PLCnext Store signature is created automatically after uploading to the PLCnext Store.

For test purposes, you can deactivate the signature check of the apps via the WBM.

You can use openSSL or XCA from Christian Hohnstädt, for example. Both tools are available for Windows® and Linux®. The provided examples are based on OpenSSL.

To sign your app, proceed as follows: 

  1. Generate a private key locally (as a file). 
    • RSA 2048 or higher and ECDsa 256 are supported.
      You can generate a private key with the following command: 
      openssl genrsa -out private.key 4096
    • Always assign a secure password (passphrase) to protect the private key.
    • The private key must be stored securely to prevent loss or theft.
  2. Create a Certificate Signing Request (CSR) locally (as a file).
    You can create the CSR with the following command: 
    openssl req -new -key private.key -out request.csr
    The company details specified in the CSR are not relevant, as these are set by the PLCnext Store.
  3. Upload the CSR to your PLCnext Store account.

    After the upload, the PLCnext Store generates a developer certificate (public key certificate) and makes it available for download. Download and save this developer certificate locally.
  4. Create a PKCS #12 container locally (as a file).
    To do this, you need the secure password (passphrase) that was assigned to the private key in step 1. Assign a separate password for the PKCS #12 container.
    You can create the PKCS #12 container with the following command:
    openssl pkcs12 -export -out developer_certificate.pfx -inkey private.key -in dev_cert_XXXXXXXXXX.pem
  5. You can now sign your app locally.
    You will need the following for this:
    • The "SecurityFramework.Cli" tool (available for Linux® and Windows®).
      The "SecurityFramework.Cli" tool is part of the PLCnext Technology SDK for PLCnext Control.
    • The app that is to be signed
    • The PKCS #12 container created in step 4

      Sign the app with the SecurityFramework.Cli under Windows® with the following command:
      .\SecurityFramework.Cli.exe signApp --inputFile myapp.app --outputFile myapp_signed.app--signatureType T --timeStampServerUri https://tsa.plcnextstore.com/  --pkcs12 .\developer_certificate.pfx --password mypassword --appSignatureType PLCnextStoreDeveloper
      Parameter Value Description
      --inputFile User specific File name of the app to be signed, for example: myapp.app
      --outputFile User specific File name of the signed app, for example: myapp_signed.app
      --signatureType T Accept value unchanged
      --pkcs12 User specific File name of the PKCS #12 container
      --password User specific Password of the PKCS #12 container
      --timeStampServer https://tsa.plcnextstore.com Accept value unchanged;
      only the plcnextstore timestamp server can be used
      --appSignatureType PLCnextStoreDeveloper Accept value unchanged
      The command without parameters directly opens the help in the tool:
      .\SecurityFramework.Cli.exe signApp
  6. Upload the signed app to the PLCnext Store.
    After you have uploaded the app and saved the page, you will receive the following message below the upload window:
  7. Download the signed app from the PLCnext Store and install it on the device for verification.
    After installation, check the signature status of your installed app in the WBM on the App management page (SystemApp management).
    The following statuses are possible:
    Signature status Description Measure
    Signature not available The installed app does not have a signature. After successfully signing the app, this message should not appear. Please check whether you have installed the correct signed version of your app.
    Signature invalid The installed app has an invalid signature. It appears that the app signing has not been performed correctly. Please repeat the signing of the app as described above.
    Alternatively you can check the signature of the app with the following command: 
    .\SecurityFramework.Cli.exe analyzeApp --appFile myapp_signed.app
    Signature valid The installed app has a valid signature. The signature of your app is correct. No further action is required. 

 

 

• Published/reviewed: 2026-02-27 • Revision 23 •