Tip For Certificate-Based Communication Between Pg And Cpu - Siemens SIMATIC ET 200AL System Manual
Distributed i/o system
Hide thumbs
Also See for SIMATIC ET 200AL:
- System manual (1585 pages) ,
- Manual (86 pages) ,
- Equipment manual (46 pages)
Table of Contents
Advertisement
3.6.4.3
Tip for certificate-based communication between PG and CPU
The certificate-based PG/PC communication (Secure PG/PC communication) means that the
communication partner of the CPU – the programming device with installed TIA Portal – must
trust the device certificate of the CPU so that a connection can be loaded.
To put it simply, from the TIA Portal perspective you have the following options to trust the
certificate of a CPU:
• The PG with TIA Portal is in possession of the device certificate of the CPU because it was,
for example, created or imported in the project. In this case, the certificate check runs
automatically and without prompting.
• The PG with TIA Portal is not in possession of the device certificate of the CPU, because the
CPU was determined via "Accessible stations", for example, and is not available in the
project. In this case, the TIA Portal asks the TIA Portal user whether the certificate can be
trusted. This may be possible only with great effort because the CPU is not in sight, for
example, and the authenticity can therefore not be checked immediately.
• The PG with TIA Portal is in possession of the CA certificate (certification authority) and all
CPUs that can be reached in the network from the TIA Portal have device certificates
issued by this CA certificate.
Advantage of this solution: TIA Portal can check device certificates automatically, even if
the device certificates of the communication partners are not available in TIA Portal.
The solution with a CA certificate (certification authority) is explained in more detail below.
Requirement
You can use the certification authority of the TIA Portal to create device certificates for a CPU
and use the existing CA certificates to sign the device certificates. However, you can also
import another certification authority into TIA Portal and use it.
Enabling the global security policies for the certificate manager is a requirement. Only with
this setting you can generate CA-signed certificates.
See also here: Managing certificates with STEP 7 (Page 49)
Exporting CA certificate for programming devices
To export the corresponding CA certificate after creating and assigning a certificate, follow
these steps:
1. Open the certificate manager in the global security settings in the project tree.
2. Select the table "CA certificates" for the certificate to be exported.
3. Right-click to open the shortcut menu of the selected certificate.
4. Click "Export".
5. Select the export format of the certificate and the storage location.
Communication
Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
95
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
Chapters
Table of Contents
