Generating the certificate via batch script - References - SIMATIC AX - AX Hardware Engineering documentation

Generating the certificate via batch script - References - SIMATIC AX - AX Hardware Engineering documentation - Hardware Engineering,

Hardware Engineering reference

Portfolio

SIMATIC AX

Product

SIMATIC AX

Software version

2.0.0-alpha1.56

Edition

08/2025

Language

English (original)

Package Name

@ax/hw-docs

A PKCS12 certificate can be generated by creating a certificate creation batch file.

Create a new batch file createCertificateViaOpenSSL.bat with following content:

echo off

echo Creating server_cert_ext config to set CA (Certificate Authority) parameter to false
(
echo basicConstraints = CA:FALSE
echo keyUsage=critical, digitalSignature, nonRepudiation, keyCertSign, keyEncipherment, dataEncipherment
echo extendedKeyUsage=serverAuth ,clientAuth
)> server_cert_ext.cnf

echo Step1 of PKCS12 file creation STARTED: generating private key
openssl genrsa -out privateKey.pem 2048
echo Step1 of PKCS12 file creation COMPLETED: privateKey.pem is generated

echo Step2 of PKCS12 file creation STARTED: generating certificate request
openssl req -new -key privateKey.pem -out server.csr -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
echo Step2 of PKCS12 file creation COMPLETED : server.csr is generated

echo Step3 of PKCS12 file creation STARTED: generating end-entity certificate
openssl x509 -req -in server.csr -signkey privateKey.pem -out server.cert.pem -days 3650 -sha256 -extfile server_cert_ext.cnf
echo Step3 of PKCS12 file creation COMPLETED: generating end-entity certificate

echo Step4 of PKCS12 file creation STARTED: export certificate in pkcs12 format
openssl pkcs12 -export -in server.cert.pem -inkey privateKey.pem -out PlcCertificate.p12
echo Step4 of PKCS12 file creation COMPLETED: export certificate in pkcs12 format


echo Certificate with public key creation STARTED
openssl pkcs12 -in PlcCertificate.p12 -out PlcCertificatePublic.crt -nokeys
echo Certificate with public key creation COMPLETED

echo Deleting temporary files STARTED
del privateKey.pem
del server.cert.pem
del server.csr
del server_cert_ext.cnf
echo Deleting temporary files COMPLETED

To execute the script open a new command line (cmd). If you are using the OpenSSL binaries provided by Git, be sure to add the Git directory to your environment variable as mentioned in Use Git OpenSSL binaries.

Execute the script in the console by typing following command:

createCertificateViaOpenSSL.bat

Note

The script will ask for as password twice:

Once for an "Export Password"
Once for an "Import Password"

Both times, enter the password to encrypt the certificate file. You need to specify the same password for both prompts.

PKCS12 certificate generation via batch script

If all goes well, a PlcCertificate.p12 certificate is created in the same folder. It can be then imported into your PLC for different purposes. The PlcCertificatePublic.crt certificate, containing only the public key, can be used for validation purposes (e.g. when downloading to your PLC or connecting to the Web Server).