Setting up driver signing

Create an OEM certificate level 2

TwinCAT objects generated from MATLAB® or Simulink® are based on a tmx driver (TwinCAT Module Executable), as are TwinCAT C++ objects. These drivers must be signed with an OEM certificate level 2, so that it can be loaded on the runtime PC during the TwinCAT runtime.

See the following links for detailed documentation on how to create an OEM certificate for driver signing:

The most important facts in brief:

Use of an OEM level 2 certificate for driver signing

To sign tmx drivers, you need a certificate and a password associated with the certificate.

Setting up driver signing 1:

Available certificates can be found at:

Build 4026: C:\ProgramData\Beckhoff\TwinCAT\3.1\CustomConfig\Certificates
Build 4024: C:\TwinCAT\3.1\CustomConfig\Certificates

Handling of the certificate

There are four possible variants for signing tmx drivers.

Variant 1: System-wide default certificate for TwinCAT C++ and TE14xx

You can set a default certificate on an engineering PC, which is always used for TwinCAT C++, Target for MATLAB® and Target for Simulink®, unless you explicitly specify a different certificate.

For this variant, you use a Windows environment variable. Create a new environment variable at User > Variables with:

Variable: TcSignTwinCatCertName

Value: Name of the desired certificate

Variant 2: System-wide default certificate for TE14xx

You can set a default certificate in your MATLAB® environment, which is always used for Target for MATLAB® and Target for Simulink® (not TwinCAT C++), unless you explicitly specify a different certificate.

Open the Common Settings dialog mentioned above with TwinCAT.ModuleGenerator.Settings.Edit and enter the desired default certificate under Build> Certificate name for TwinCAT signing. This certificate is stored in your user directory as default and is used by all MATLAB® versions on your system as default.

Variant 3: Certificate in the configuration of the Simulink® model

You can explicitly name a certificate for each build operation. For Variant 3 you do not have to make any further settings in advance. Before each build process, you can define a certificate of your choice for precisely this build process.

Target for Simulink®: TC Build > Certificate for TwinCAT signing

Target for MATLAB®: Property SignTwinCatCertName

Variant 4: Build without certificate and sign later with TcSignTool

You can build without a certificate and sign afterwards with the TcSignTool.

The TcSignTool is a command line program. For example, open the command prompt and execute tcsigntool sign /? to display the help. The program can be found here:

Build 4026: C:\Program Files (x86)\Beckhoff\TwinCAT\3.1\SDK\Bin

Build 4024: C:\TwinCAT\3.1\SDK\Bin

Setting up driver signing 2:

Operating TcSignTool from MATLAB®

From MATLAB®, the tool can be started with the command system() or with !.

Setting up driver signing 3:

Sample call for signing a tmx driver for TwinCAT: 


TcSignTool sign /f "C:\TwinCAT\3.1\CustomConfig\Certificates\ MyCertificate.tccert" /p MyPassword "C:\TwinCAT\3.1\Repository\TE140x Module Vendor\ModulName\0.0.0.1\TwinCAT RT (x64)\MyDriver.tmx"

Handling the certificate password

The password is only entered directly at Variant 4 of the certificate handling.

For Variants 1 to 3, the associated password must be entered in addition to the certificate. For security reasons, the password must not be entered in the source code in the Simulink® model or in the MATLAB® code. Use the TcSignTool to store the corresponding passwords for your certificates. The passwords are stored obfuscated in the registry of the Windows operating system. This means that the password for a specific certificate is known in the operating system (for the corresponding user) and is used automatically.

The password is stored with the following call: 

tcsigntool grant /f "C:\TwinCAT\3.1\CustomConfig\Certificates\MyCertificate.tccert" /p MyPassword

The obfuscated password is stored in the registry under: HKEY_CURRENT_USER\SOFTWARE\Beckhoff\TcSignTool\

The password is deleted with the following call:

tcsigntool grant /f "C:\TwinCAT\3.1\CustomConfig\Certificates\MyCertificate.tccert" /r

Behavior of the TwinCAT runtime

If a TwinCAT object created from MATLAB® or Simulink® with a signed driver is used in a TwinCAT Solution and loaded onto a target system with Activate Configuration, the following must be observed:

Test mode for non-countersigned certificates

If you use a non-countersigned OEM certificate for signing, you must set your target system into test mode. To do this, run the following command as an administrator on the target system:

bcdedit /set testsigning yes

If you are using a countersigned OEM certificate, this step is not necessary.

Whitelist for certificates on target systems

Each TwinCAT runtime (XAR) has its own whitelist of trusted certificates.

Behavior with TwinCAT Build 4026

The TwinCAT-XAE checks whether all certificates required to activate the configuration are in the whitelist on the runtime system. If this is not the case, a pop-up window appears. The user can use this to set the whitelist entries.

Behavior with TwinCAT Build 4024

If the certificate used for signing is not included in this whitelist, the driver will not be loaded. A corresponding error message is output in TwinCAT Engineering (XAE).

Setting up driver signing 4:

The error message contains the instruction to execute a registry file, which was automatically created on the target system, on the target system as administrator. This process adds the used certificate to the whitelist.

Setting up driver signing 5:

Registry file is only dependent on the OEM certificate

The registry file can also be used on other target systems. It only contains information about the OEM certificate used and is not target system dependent.