Secure by default: Checking project integrity 

Integrity check

Libraries and projects in PLCnext Engineer are hashed. The hashes assigned with PLCnext Engineer are checked by PLCnext Control. This way you can verify that data is not modified, tampered with, or corrupted.  

When creating the project in PLCnext Engineer, a manifest file with hashes is generated. Before the project is loaded on the PLCnext Control, it is checked whether this project has integrity. This integrity check writes a notification. 

To configure the integrity check, proceed as follows: 

• Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

• Open the Project integrity page (Security → Project integrity). 
• Make the following settings:
  
• Click the SAVE & APPLY PAGE button.

After downloading a project to the PLCnext Control you have to make sure that the integrity check of the project data was successful. To do this, you need to check the notifications. Proceed as follows:

• Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

• Open the Notifications page (Diagnostics → Notifications). 
• Check if you can see a notification stating that the integrity check was successful for your project. See the example screenshot below.

Further steps of the check follow, which you must check for completeness:

• The project is loaded onto the controller.
• The project name of the project is displayed. Check if the project name matches the project you wanted to load on the controller.
• PLCnext Control started. 

 

The project integrity check detects various errors and displays them in the notifications. The following entries are possible: 

• "Manifest file does not exist"
• "Hash algorithm not supported"
• "Hash value of the file is not correct"
• "File does not belong to the project"
• "File does not exist"

Signature check

Signature

• Generate a signing certificate via an official PKI or create a self-signed certificate. 
• Save the signing certificate as *.pfx with a password. 
  
• Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

• Open the Project integrity page (Security → Project integrity). 
• Make the following settings:
  
• Click the SAVE & APPLY PAGE button. 
• Open PLCnext Engineer. 
• Double-click the controller node in the PLANT area. 
• Open the Package Signing editor. 
• Enter the certificate path of your generated signing certificate and the corresponding password.
  
  The password is only saved temporarily. Each time you close and reopen the project, you must enter the password again. 

• Download the project to your PLCnext Control.

Signature with time stamp

First you have to insert the root certificates in the trust store in PLCnext Engineer. Proceed as follows:

• Open PLCnext Engineer with administrator rights and log in as admin. 
• Open the Extras → Options... menu.
• On the Administration → Trust stores tab, add the signature root and the time stamp root certificates.
  
• Then enter the Signing certificate (.pfx) and the path to the Timestamp server in the project.
  

Before downloading, both root certificates must be entered on the PLCnext Control in the trust store Code Signing via the WBM. Proceed as follows:

• Log in to the WBM. 

Return to topicHow do I get to the WBM again? Click here for more information... 

• Open the Certificate management page (Security → Certificate management). 
• Add the certificates via the  button.

You can now activate the integrity check on the Project integrity page (Security → Project integrity). The Integrity status shows whether the configuration is correct. 

 

You can see whether the integrity check was successful on the Notifications page (Diagnostics → Notifications):

• Published/reviewed: 2026-01-30 • Revision 020 •