Certificate Management Via Global Discovery Server (Gds); Automated Certificate Management With Gds - Siemens SIMATIC ET 200AL System Manual

9.2.7

Certificate management via Global Discovery Server (GDS)

9.2.7.1

Automated certificate management with GDS

The OPC UA server of the S7-1500 CPU with firmware V2.9 or higher supports certificate
management services that can be used, for example, by a Global Discovery Server (GDS).
OPC UA certificates, trust lists and certificate revocation lists (CRLs) for the OPC UA server of
the S7-1500 CPU can be updated automatically using GDS push management functions. The
automation of the certificate management eliminates any manual work required for
reconfiguring the CPU, for example, after a certificate has expired, and a new download of
the CPU. You can also use the GDS push management functions to transfer updated
certificates and lists in the STOP and RUN operating states of the CPU.
The certificate management information model is specified in OPC UA Part 12 (OPC 10000-
12: OPC Unified Architecture, Part 12: Discovery and Global Services).
The following sections provide a general overview of Global Discovery Services and the
function of an automated certificate update supported as of TIA Portal V17 / CPU firmware
version V2.9.
Discovery server
To connect to an OPC UA server, an OPC UA client requires information about its endpoint
such as the endpoint URL and the security policy. When a large number of possible servers
are available in the network, a discovery server can take over the search and management of
this server information.
• OPC UA servers register with the discovery server.
• OPC UA clients request a list of accessible servers from the discovery server and then
connect to the desired OPC UA server.
Global Discovery Server (GDS)
The OPC UA GDS concept allows the configuration of cross-subnet discovery services on the
one hand and provides interfaces for central certificate management on the other hand.
A Global Discovery Server (GDS) makes mechanisms available for the central management of
the following components:
• CA-signed certificates and self-signed certificates
• Trusted Lists and Certificate Revocation Lists (CRL)
A GDS thus provides an access point to central certificate management and takes over the
task of a security server within an OPC UA network.
The main application of GDS is the management of CA-signed certificates with the
corresponding CRLs:
• Initial creation of an OPC UA application certificate
• Regular update of the trust list and the CRLs
• Renewal of the OPC UA application certificate
Communication
Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
185