Automation Studio 6: Encrypted ANSL Communication with TLS → ANSLS – Problems with Dynamic IP Change and Trusted Certificates

Hallo zusammen,

wir nutzen in Automation Studio 4 verschlüsselte ANSL-Kommunikation und konnten die IP-Adresse der Steuerung zur Laufzeit über CfgSetIPAddr() setzen. Danach war ein Verbindungsaufbau über ANSL mit der neuen IP-Adresse problemlos möglich.

In Automation Studio 6 scheint sich das Verhalten geändert zu haben:
Die IP-Adresse der SPS muss im Server-Zertifikat hinterlegt sein.
Wenn ich die IP-Adresse nun zur Laufzeit ändere (z. B. über CfgSetIPAddr()), stimmt die IP-Adresse nicht mehr mit dem Zertifikat überein.
Versuche ich anschließend, eine Online-Verbindung aufzubauen, erhalte ich den Fehler:

11017 – Fehler bei der Server-Zertifikat-Validierung: IP-Adresse oder Hostname im Server-Zertifikat nicht gefunden
Link zur BR-Hilfe

Die Verbindung lässt sich danach nicht mehr herstellen.

Frage:
Hat jemand eine Lösung für dieses Problem?
Gibt es in AS6 eine Möglichkeit, die IP-Adresse im Zertifikat dynamisch anzupassen oder die Validierung zu umgehen (z. B. über eine Konfiguration)?
Oder muss das Zertifikat manuell neu erstellt werden, sobald sich die IP ändert?

Zusätzliches Problem: Trusted Certificates
Sobald ich in der SSL/TLS-Konfiguration (siehe Screenshot) ein Trusted Certificate hinterlege, kann ich mich nicht mehr mit der Steuerung verbinden – selbst wenn ich das gleiche Zertifikat in den Secure Configuration-Einstellungen der Online Settings verwende.

Screenshot TLS Configuration665×222 11.7 KB

Screenshot Online Settings1853×498 65.7 KB

Als Fehlermeldung erhalte ich:

11022 – ANSL-Kommunikationsverbindung abgebrochen

Fragen:

• Hat jemand Erfahrung mit Trusted Certificates in AS6?
• Muss das Zertifikat bestimmte Anforderungen erfüllen (z. B. spezielle Felder oder Signatur)?
• Gibt es eine Schritt-für-Schritt-Anleitung zur Konfiguration von TLS/ANSL in AS6?

Umgebung:

• Automation Studio 6
• Verschlüsselte ANSL-Kommunikation (TLS 1.2 aktiviert)
• Eigene Zertifikate
• Secure Configuration in Online Settings konfiguriert (IP-Adresse, Port, Benutzername, Passwort)

Ich freue mich über jede Hilfe oder Erfahrung, die ihr teilen könnt!
Vielen Dank im Voraus!

Beste Grüße
Simon

It’s a mystery for me @Simon_Stoll why you wrote in German your post in German and not in English…you know English very well.
Ciao
Valerio

Hi @Simon_Stoll,

even if I have no idea right now (I’m out of office), I’m pretty sure that the changed IP address behavior has a Cyber Security / CRA background.
Because the validation of the IP address and / or the hostname is one part in the security chain to validate that the communication partner is the right one. So I could imagine that ANSL / PVI uses more strict validation algorithms within the ASW 6 versions.

Do you use also a hostname in the PLC, and the hostname is also part of the certificate?
Because from my basic knowledge, if IP addresses are changing, using a hostname instead is the way how it works (in IT environment, e.g. WWW).
I also remember about the usage of wildcards in hostnames (for example to have on certificate for several sub-domains), but I’m not sure right now if and how this works in the AS/AR environment.

I hope someone else here in the Community has some more insight / background info.

BG Alex

Hi @Simon_Stoll,

thank you for sharing this very important questions!

1. Unfortunately there is no way to change certificateparameters after creation- as you can imagin, thats because of cyber security reasons.
   1. So it is neccessary to create a new certificate.
   2. If the new connectionparameters are known before creation, you can enter all possible IP Adresses and Hostnames into SAN Parameter (Subject Alternative Name)
   3. As @alexander.hefner mentoined the usage of a hostname could help here
2. Regarding your Issue with “Trusted certificates”
   1. In Documentation (see TLS/SSL configurations) you can find the Information, that Trusted CAs (“Certificate Authority”) can be specified as “Trusted Certificate”.
   2. This means, you need a chain of trust here to make this work
   3. We did a Test and could make it run:
      1. 

         image616×448 63.7 KB
   4. For testpurpose we started to create a guide for internal usage, how to create a simple chain of trust with “X - Certificate and Key management” (see X - Certificate and Key management). To share it here, we have to hide some sensitive information. As soon as we are so far, we will share it here.

BR Andy

Hi @Simon_Stoll,

some additional Information regarding ANSL:

• Certificates must be created in PEM format (not DER)
• Client certificate must be stored as .pfx in the Windows certificate store
• As I mentoined, you need a chain of trust. As you can see in my screenshot of my last post, you have to insert the whole certificate chain including the intermediate certifcate must be add in the SSL configuration in AS

Unfortunately this Information is currently not available in AS Help. So we asked B&R to insert this important Information.

BR Andy

@alexander.hefner: yes, we discussed the usage - however, we are currently not deploying any DNS servers on our machines.
@wagner2a: thanks for your very helpful information and ideas.

→ Great. I will test it

I’m curious to see if anyone else has had any experiences with ANSLS in AS6!

Hi Valerio,
the BR Automation Community forum has a built-in translation feature

I wrote in German because the topic is quite specific, and I wanted to reach the German-speaking user base first.

But you’re right – I’ll switch to English for broader visibility if needed. Thanks for the hint!

Best regards
Simon

Hi @Simon_Stoll,

reagarding your first Question (Certificate Handling when Enduser can change the IP-Address) there is already an Thread from 2024, which goes in same direction: MappView Client: SSL certificate for https connection

Hi @Simon_Stoll what is status of your question there? have you figured out answer?