Siemens SIMATIC S7-1500 Function Manual page 41

Communications services
3.6 Secure Communication
How certificates establish trust
The main role of X.509 certificates is to bind an identity with the data of a certificate subject
(for example, e-mail address or computer name) to the public key of the identity. Identities
can be people, computers or machines.
Certificates are issued by certificate authorities (Certificate Authority, CA) or by the subject of
a certificate itself. PKI systems specify how users can trust the certificate authorities and the
certificates that they issue.
The certificate process:
1. Anyone wishing to own a certificate submits a certificate application to a registration
authority linked to the certificate authority.
2. The certificate authority assesses the application and applicant on the basis of set
criteria.
3. If the identity of the applicant can be clearly established, the certificate authority confirms
that identity by issuing a signed certificate. The applicant has now become the certificate
subject.
The figure below is a simplified overview of the process. It does not show how Alice can
check the digital signature.
Figure 3-9
Self-signed certificates
Self-signed certificates are certificates whose signature comes from the certificate subject
and not from an independent certificate authority.
Examples:
● You can create and sign a certificate yourself, for example, to encrypt messages to a
communication partner. In the example above, Bob (instead of Twent) could himself sign
his certificate with his private key. Using Bob's public key, Alice can check that the
signature and public key from Bob match. This procedure is sufficient for simple internal
plant communication that is to be encrypted.
● A root certificate is, for example, a self-signed certificate, signed by the certificate
authority (CA), that contains the public key of the certificate authority.
40
Signing of a certificate by a certificate authority
Function Manual, 11/2019, A5E03735815-AH
Communication