Test signing

Overview

Implementing TwinCAT 3 C++ modules for x64 platforms requires signing the driver with a certificate.

This article describes how to create and install a test certificate for testing a C++ driver.

	Note the procedure when creating test certificates Developers may have a wide range of tools for creating certificates. Please follow this description exactly, in order to activate the test certificate mechanism.

The following commands must be executed from a command line that has been opened in either way:

Visual Studio 2010 / 2012 prompt with administrator rights. (Via: All Programs -> Microsoft Visual Studio 2010/2012 -> Visual Studio Tools -> Visual Studio Command Prompt, then right-click Run as administrator)
Developer Command Prompt of Visual Studio 2017 / 2019 with administrator rights. (Via: All Programs -> Visual Studio 2017 -> Visual Studio Command Prompt for VS 2017/2019, then right-click on Run as administrator)
Only if the WINDDK has been installed:
Normal prompt (Start ->Command Prompt) with administrator rights, then change to directory %WINDDK7%\bin\x86\, which contains the corresponding tools.

1. On XAE:
in the engineering system enter the following command in the Visual Studio 2010 / 2012 prompt with administrator rights (see note above):
makecert -r -pe -ss PrivateCertStore -n CN=MyTestSigningCert MyTestSigningCert.cer
(If you do not have access rights to the PrivateCertStore, you can use a different location. This must also be used in the PostBuild event, as described here.)

This is followed by creation of a self-signed certificate, which is stored in the file "MyTestSigningCert.cer" and in the Windows Certificate Store.

Check the result with mmc (Use File->Add/Remove Snap-in->Certificates):
Test signing 2:

2. On XAE:
configure the certificate so that it is recognized by TwinCAT XAE on the engineering system.
Set the environment variable TWINCATTESTCERTIFICATE to "MyTestSigningCert" in the engineering system or edit the post build event of Debug|TwinCAT RT (x64) and Release|TwinCAT RT (x64).
The name of the variable is NOT the name of the certificate file, but the CN name (in this case MyTestSigningCert).

Note From TwinCAT 3.1 4024.0, the configuration of the certificate to be used is carried out under Tc Sign in the project properties. To use signing via the operating system, as described here, please pay attention to the project settings:

Test signing 3:

On XAR (and XAE, if it is a local test), activate the test mode so that the operating system can accept the self-signed certificates. This can be done on both engineering systems (XAE) and runtime systems (XAR).

For Windows

Use the administrator prompt to execute the following:
bcdedit /set testsigning yesand reboot the target system.
You may have to switch off "SecureBoot" for this, which can be done in the bios.

If test signing mode is enabled, this is displayed at the bottom right of the desktop. The system now accepts all signed drivers for execution.

After the respective procedure, the system accepts all signed drivers for execution.

1. Test whether a configuration with a TwinCAT module implemented in a TwinCAT C++ driver can be enabled and started on the target system.

Compilation of the x64 driver generates the following output:
Test signing 5:

References:
MSDN, MakeCert test certificates (Windows drivers),
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/makecert-test-certificate