TwinCAT OEM certificates
A TwinCAT OEM certificate signed by Beckhoff is required in order to be able to use the application software protection functions.
The TwinCAT OEM certificate is exclusively intended for use together with TwinCAT.
With TwinCAT Build 4024, the TwinCAT OEM certificate version TC0008 can additionally be used to sign TwinCAT *.tmx files created with TwinCAT 3 in C++.
With the launch of TwinCAT 3.1 Build 4024, several new features relating to TwinCAT OEM certificates were introduced, compared to Build 4022:
- Update to a newer encryption version for the internal certificate data
- Introduction of an extended certificate version TC0008, with which C++ TwinCAT driver software created in TwinCAT 3 can also be signed
- This certificate version requires secure validation of the applicant data, since it is used in the Windows environment.
- The process of applying for a TwinCAT OEM certificate was modified for this purpose. All OEM certificates must be officially ordered to validate address and contact information. (However, the issuing of a TwinCAT OEM certificate remains free of charge.)
- TwinCAT OEM Certificates Extended Validation (TC0008) are only issued to existing Beckhoff customers.
Order numbers for TwinCAT OEM certificates
TC0007: TwinCAT OEM Certificate Standard (TwinCAT Software Protection)
TC0008: TwinCAT OEM Certificate Extended Validation (like TC0007, additionally signing of TwinCAT driver software created with TwinCAT 3 in C++)
 | Only valid for TwinCAT 3.1 Build 4024.0: creation of a User DB requires Crypto Version 1 In the TwinCAT version Build 4024.0, a user database for the TwinCAT Software Protection may only be created with an OEM certificate with Crypto version 1! |
Please note:
- TC0008 includes all functionalities of TC0007
- The standard certificate version TC0007 can optionally be issued with the encryption version of TwinCAT 3.1 Build 4022 or 4024.
- The certificate version TC0008 with extended validation can only be issued with the newer encryption version of TwinCAT 3.1 Build 4024.
- The encryption version of the certificate is defined by the user when the "OEM Certificate Request File" is created (not when the order is placed!):
Compatibility of OEM certificates: Build 4022 <-> Build 4024:
- The encryption version (=1) of build 4022 (e.g. an existing OEM certificate created with build 4022 or UserDBs or OEM application licenses created with it) can also be used with build 4024 (the other way round it only works with encryption version 1!)
- A TwinCAT OEM certificate (Standard only) with encryption version 1 of Build 4024 (or UserDBs or OEM application licenses generated with it) can be used with TwinCAT 3.1 Build 4022. (-> build 4022 can decrypt the certificate data of encryption version 1)
- A TwinCAT OEM certificate with encryption version 2 of Build 4024 (or UserDBs or OEM application licenses generated with it) can not be used with TwinCAT 3.1 Build 4022! (-> build 4022 cannot decrypt the certificate data of encryption version 2!)
- TwinCAT OEM certificates with different encryption versions can be used in parallel in TwinCAT 3.1 Build 4024: an OEM certificate with the encryption version of TwinCAT 3.1 Build 4022 for protecting user software, and a second OEM certificate with the encryption version of TwinCAT 3.1 Build 4024 for signing TwinCAT driver software.
Storage instructions for the application area: protection of OEM application software
The OEM key included in all certificate versions facilitates the use of the functions for protecting the TwinCAT 3 application software:
- Creating a user database (user DB) for user access control
- Create OEM application license description files
(basis for issuing OEM application licenses) - Issuing (signing) of OEM application licenses
The OEM Standard certificate (TC0007) is only required for these three purposes.
| On which computer has the OEM certificate TC0007 to be stored? The OEM certificate should only be located on the computer on which the three activities listed above are performed. |
The OEM certificate TC0007 is not required:
- for the use of a User DB
- for the program sequence
- for the use of OEM application licenses
For security reasons, the certificate should not be delivered on control computers or installed randomly on computers with TwinCAT Engineering.
When using OEM licenses, the OEM certificate is only required once to issue the license (since it is used to sign the license file).
Storage instructions for the application area: signing TwinCAT driver software
The OEM key included in the certificate version TC0008 (TwinCAT OEM Certificate Extended Validation) can additionally be used to sign TwinCAT driver software created with TwinCAT 3 in C++.
If you use TC0008 only for this purpose, the following applies:
| On which computer has the OEM certificate TC0008 to be stored? The OEM certificate should only be located on the computer on which TwinCAT driver software created with TwinCAT 3 in C++ is signed. |
If you also use TC0008 for TwinCAT Software Protection, the relevant instructions for the computers on which the certificate may / should be stored also apply.
The OEM certificate TC0008 is not required for running the TwinCAT driver software signed with it.
The certificate should not be delivered on control computers or installed randomly on computers with TwinCAT Engineering.
| Use of a secure PC Use a secure PC for activities that require handling of the password for the OEM certificate private key, in order to prevent password sniffing. |
Validity of the TwinCAT OEM certificate
For reasons of security, the validity of the OEM certificate is limited to two years.
The OEM may apply for an extension of the certificate before the two-year period has expired (or afterwards), in order to be able to continue working without interruption. (See Extending an OEM certificate)
What happens if the certificate has expired?
The following functions are no longer available with an invalid (expired) OEM certificate:
- Creating a user database
- Creating OEM application license description files
- Issuing (signing) of OEM application licenses
- Signing C++ executables (build 4024) with the OEM certificate
All other functions continue to work:
- Program execution is still possible.
- Issued OEM licenses remain valid.
- C++ executables signed with TC0008 continue to run (Build 4024).
- The user database remains valid, and the administrator can continue to modify/adapt the database. (It is no longer possible to create a new user database.)