Examples For The Management Of Certificates - Siemens SIMATIC S7-1500 Function Manual

3.6.5

Examples for the management of certificates.

As explained in the preceding sections, certificates are required for every type of secure
communication. The following section shows as an example how you handle the certificates
with STEP 7 so that the requirements for Secure Open User Communication are fulfilled.
The devices which are involved at the respective communication partners are differentiated
below. The respective steps for supplying the required certificates to the communications
participants are described. An S7-1500 CPU or an S7-1500 software controller as of
firmware version 2.0 is always required.
The general rule is:
While a secure connection is being established (handshake"), the communication partners
as a rule only communicate their end-entity certificates (device certificates).
Therefore the CA certificates required to verify the transmitted device certificate must be
located in the certificate memory of the respective communication partner.
Secure Open User Communication between two S7-1500 CPUs
Two S7-1500-CPUs, PLC_1 and PLC_2, are to exchange data with each other via Secure
Open User Communication.
You generate the required device certificates with STEP 7 and assign them to the CPUs as
described below.
STEP 7 project certificate authorities (CA of the project) are used to sign the device
certificates.
The certificates are to be referenced by their certificate ID in the user program (TCON
communication instruction in combination with the associated system data type, for example
TCON_IPV4_SEC). STEP 7 assigns the certificate ID automatically during the generation or
creation of certificates.
Communication
Function Manual, 11/2019, A5E03735815-AH
Communications services
3.6 Secure Communication
47