Test signing

The test signing for TwinCAT can be carried out with the same TwinCAT user certificate as for the actual delivery (see Request TwinCAT 3 user certificate).

1. For test operation, e.g. during software development, the creation of a TwinCAT user certificate, as described Creation of the Certificate Request file for TC0008, is sufficient. Make sure that you select the purpose "Sign TwinCAT C++ executable (*.tmx)". For this the Crypto version 2 is required, a message appears.
Test signing 1:

On XAR (and XAE, if it is a local test), activate the test mode so that the operating system can accept the self-signed certificates. This can be done on both engineering systems (XAE) and runtime systems (XAR).

For Windows

Use the administrator prompt to execute the following:
bcdedit /set testsigning yes
and reboot the target system.
You may have to switch off "SecureBoot" for this, which can be done in the bios.

If test signing mode is enabled, this is displayed at the bottom right of the desktop. The system now accepts all signed drivers for execution.

Test signing 2:


For TwinCAT/BSD

In the file /usr/local/etc/TwinCAT/3.1/TcRegistry.xml enter „<Value Name="EnableTestSigning" Type="DW">1</Value> " under Key "System".

<Key Name="System">
  <Value Name="RunAsDevice" Type="DW">1</Value>
  <Value Name="RTimeMode" Type="DW">0</Value>
  <Value Name="AmsNetId" Type="BIN">052445B00101</Value>
  <Value Name="LockedMemSize" Type="DW">33554432</Value>
  <Value Name="EnableTestSigning" Type="DW">1</Value>
</Key>

Then restart the TwinCAT System Service:
doas service TcSystemService restart

After the respective procedure, the system accepts all signed drivers for execution.

1. During the first activation (Activate Configuration) with a TwinCAT user certificate, the target system detects that the certificate is not trusted and the activation process is aborted:
Test signing 3:
For Windows:
A local user with administration rights can trust the certificate via the created REG file by simply executing it:
Test signing 4:
For TwinCAT/BSD:
If the "Tcimportcert" package is not installed, install it: pkg install tcimportcert
Trust the certificate via doas tcimportcert /usr/local/etc/TwinCAT/3.1/Target/OemCertificates/<CreatedFile>.reg.
Then restart the TwinCAT System Service or reboot the system:
doas service TcSystemService restart
This process only enables C++ modules with a signature from the trusted TwinCAT user certificates to run.
2. Following this process you can use the TwinCAT user certificate for signing with the test mode of the operating system.
This is configured in the project properties.
Use the TcSignTool to avoid storing the password of the TwinCAT user certificate in the project, where it would also end up in version management, for example.

If you want to use the TwinCAT user certificate without TestMode for delivery, you must have the certificate countersigned by Beckhoff.