Siemens SIMATIC S7-1500 Function Manual page 51

Communications services
3.6 Secure Communication
Secure Open User Communication between S7-1500 CPU as a TLS client and an external device as
a TLS server
Two devices are to exchange data with each other via TLS connection or TLS session, for
example, exchanging recipes, production data or quality data:
● An S7-1500 CPU (PLC_1) as TLS client; the CPU uses Secure Open User
Communication
● An external device, for example a Manufacturing Execution System (MES), as TLS server
The S7-1500 CPU establishes the TLS connection / session to the MES system as TLS
client.
①
②
The S7-1500 CPU requires the CA certificates of the MES system to authenticate the TLS
server: The root certificate and, if appropriate, the intermediate certificates for verifying the
certificate path.
You have to import these certificates into the global certificate memory of the S7-1500 CPU.
Proceed as follows to import certificates of the communication partner:
1. Open the certificate manager in the global security settings in the project tree.
2. Select the appropriate table (trusted certificates and root certificate authorities) for the
certificate to be imported.
3. Right-click in the table to open the shortcut menu. Click "Import" and import the required
certificate or the required CA certificates.
Through the import the certificate has a certificate ID assigned to it and can be assigned
to a module in the next step.
4. Mark PLC_1 and navigate to the "Certificates of partner devices" table in the "Protection
& Security" section.
5. Click in an empty line in the "Certificate subject" column to add the imported certificates.
6. Select the required CA certificates of the communication partner from the drop-down list
and confirm the selection.
50
TLS client
TLS server
Function Manual, 11/2019, A5E03735815-AH
Communication