Generating Pki Key Pairs And Certificates Yourself - Siemens SIMATIC S7-1500 Function Manual

9.2.5

Generating PKI key pairs and certificates yourself

This section is only relevant if you want to use an OPC UA client that cannot itself create a
PKI key pair and a client certificate. In this case, you generate a private and a public key
using OpenSSL, generate an X.509 certificate, and sign the certificate yourself.
Using OpenSSL
OpenSSL is a tool for Transport Layer Security that you can use to create certificates. You
can also use other tools, for example XCA, a type of key management software with a
graphical user interface for an improved overview of certificates issued.
To work with OpenSSL under Windows, follow these steps:
1. Install OpenSSL under Windows. If you are using a 64-bit version of the operating
system, install OpenSSL in the "C:\OpenSSL-Win64" directory, for example. You can
obtain OpenSSL-Win64 as a download from various providers for open source software.
2. Create a directory, for example "C:\demo".
3. Open the command prompt. To do so, click "Start" and enter "cmd" or "command prompt"
in the search field. Right-click "cmd.exe" in the results list and run the program as an
administrator. Windows opens the command prompt.
4. Change to the "C:\demo" directory. To do this, enter the following command: "cd
C:\demo".
5. Set the following network variables:
– set RANDFILE=c:\demo\.rnd
– set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
The figure below shows the command line with the following commands:
6. Now start OpenSSL. If OpenSSL has been installed in the C:\OpenSSL-Win64 directory,
enter the following: C:\OpenSSL-Win64\bin\openssl.exe The figure below shows the
command line with the following command:
Communication
Function Manual, 11/2019, A5E03735815-AH
OPC UA communication
9.2 Security at OPC UA
153