Siemens SIMATIC S7-1500 Function Manual page 50

Using self-signed certificates instead of CA certificates
When creating device certificates you can select the "Self-signed" option. You can create
self-signed certificates without being logged in for the global security settings. This
procedure is not recommended because the resulting certificates do not exist in the global
certificate memory and can therefore not be assigned directly to a partner CPU.
As described above, you should select the name of the certificate subject with care so that
the right certificate can be assigned to a device without any doubt.
Verification with the CA certificates of the STEP 7 project is not possible for self-signed
certificates. To ensure that self-signed certificates can be verified you have to include the
self-signed certificates of the communication partner into the list of trusted partner devices
for each CPU. To this purpose you must have activated the "Use global security settings for
certificate manager" option and be logged in as a user in the global security settings.
Proceed as follows to add the self-signed certificate of the communication partner of the
CPU:
1. Mark PLC_1 and navigate to the "Certificates of partner devices" table in the "Protection
& Security" section.
2. Click in an empty line in the "Certificate subject" column in the "Device certificates" table
to add a new certificate.
3. Select the self-signed certificate of the communication partner from the drop-down list
and confirm the selection.
In the next step you have to create the user programs for the data exchange and load the
configurations together with the program.
Communication
Function Manual, 11/2019, A5E03735815-AH
Communications services
3.6 Secure Communication
49