Updating an existing OEM certificate?

Unfortunately, an existing OEM certificate cannot be updated (new crypto version or different area of application). In this case it is always necessary to issue a new OEM certificate. It is, however, possible to extend the validity period of the OEM certificate by re-signing.

What are the consequences of a new OEM certificate for applications with existing or new TwinCAT UserDBs, OEM license description files or OEM application licenses?

TwinCAT User DB

• Use case: an existing User DB is to be reused, and at the same time a new OEM certificate is to be used. No problem: the existing User DBs can still be used and modified, since an OEM certificate is not required for either case. This also applies to the switch from build 4022 to build 4024 (and the User DB of build 4022).
• Use case: an existing User DB (created with old OEM certificate 1) is to be replaced by a new User DB (created with new OEM certificate 2). Provided that the requirement stated below for the crypto version is taken into account, there is no problem. However, the project must be linked once with the new User DB. A simple exchange at file level is not possible, i.e. the replaced User DB must always be reassigned to the project, because the new User DB has a different user DB key.
  
  Note: all security settings for the project will be lost!
• A User DB created on the basis of a certificate with crypto version 2 cannot be used under build 4022. (The information encrypted in the UserDB cannot be decrypted by build 4022.)

TwinCAT OEM application licenses

OEM license description files: in general, an OEM license description file must always be created with the same certificate that is used to sign the OEM application license. (Otherwise the OEM key in the license description file will not match the OEM key in the application license.)

This is independent of the TwinCAT version or the crypto version.

Comments:

• OEM license description files and OEM application licenses created with a crypto version 2 certificate cannot be used in build 4022.
• But OEM license description files and OEM application licenses created with a crypto version 1 certificate can be used in build 4024.