Siemens SIMATIC S7-1500 Function Manual page 55

Communications services
3.6 Secure Communication
Loading the Web server certificate
The server certificate generated by STEP 7 is then automatically also loaded to the CPU
when the hardware configuration is loaded.
● If you use the certificate manager in the global security settings, the certificate authority of
the project (CA certificate) signs the server certificate of the Web server: During loading
the CA certificate of the project is loaded as well automatically.
● If you do not use the certificate manager in the global security settings, STEP 7 generates
the server certificate as a self-signed certificate.
When you address the Web server of the CPU over the IP address of the CPU, a new server
certificate (end-entity certificate) must be generated and loaded with each change in the IP
address of an Ethernet interface of the CPU. This is necessary because the identity of the
CPU changes with the IP address – and the identity requires a signature in accordance with
the PKI rules.
You can avoid this problem by addressing the CPU with a domain name instead of its IP
address, for example "myconveyer-cpu.room13.myfactory.com". For this purpose, you have
to manage the domain names of the CPU via a DNS server.
Supplying a Web browser with a CA certificate of the Web server
In the Web browser the user who accesses the websites of the CPU through HTTPS should
install the CA certificate of the CPU. If no certificate is installed, a warning is output
recommending that you do not use the page. To view this page, you must explicitly "Add an
exception".
The user receives the valid root certificate for download from the "Intro" Web page of the
CPU Web server under "Download certificate".
STEP 7 offers a different possibility: Export the CA certificate of the project with the
certificate manager into the global security settings in STEP 7. Subsequently import the CA
certificate into the browser.
54
Function Manual, 11/2019, A5E03735815-AH
Communication