Siemens SIMATIC S7-1500 Function Manual page 187

OPC UA communication
9.3 Using the S7-1500 as an OPC UA server
8. Right-click this line and select the "Export certificate" entry from the shortcut menu.
9. Select a directory where you will store the client certificate.
Clients of other manufacturers
When you use UA clients from manufacturers or the OPC Foundation, a client certificate is
generated automatically during installation or upon the first program call. You have to import
these certificates via the global certificate manager in STEP 7 and use them for the
corresponding CPU (as shown above).
When you program an OPC UA client yourself, you can have the certificates generated by
the program; see the section "Instance certificate for the client". Alternatively, you can
generate certificates with tools, for example with OpenSSL or the certificate generator of the
OPC Foundation:
● The procedure for OpenSSL is described here: "Generating PKI key pairs and certificates
yourself".
● Working with the certificate generator of the OPC Foundation is described here: "Creating
self-signed certificates".
Announcing client certificates to the server
You need to send client certificates to the server to allow a secure connection to be
established.
To do this, follow these steps:
1. Select the "Use global security settings for certificate manager" option in the local
certificate manager of the server. This makes the global certificate manager available.
You will find this option under "Protection & Security > Certificate manager" in the
properties of the CPU that is acting as server.
If the project is not yet protected, select "Security settings > Settings" in the STEP 7
project tree, click the "Protect this project" button and log on.
The "Global security settings" item is now displayed under "Security settings" in the STEP
7 project tree.
2. Double click "Global security settings".
3. Double click "Certificate manager".
STEP 7 opens the global certificate manager.
4. Click on the "Trusted certificates" tab.
5. Right-click in the tab on a free area (not on a certificate).
6. Select the "Import" command from the shortcut menu.
The dialog for importing certificates is displayed.
7. Select the client certificate that the server is to trust.
8. Click "Open" to import the certificate.
The certificate of the client is now contained in the global certificate manager.
Note the ID of the client certificate just imported.
186
Function Manual, 11/2019, A5E03735815-AH
Communication