Siemens SIMATIC ET 200AL System Manual page 1170

Chain of certificates to root certificate
The certificates of a PKI are often organized hierarchically: The top of the hierarchy is formed
by root certificates. Root certificates are certificates that are not signed by a higher-level
certificate authority. The certificate subject and certificate issuer of root certificates are
identical. Root certificates enjoy absolute trust. They form the "anchor" of trust and must
therefore be known to the receiver as trusted certificates. They are stored in an area provided
for trusted certificates.
Depending on the PKI, the function of root certificates is, for example, to sign certificates
from lower-level certificate authorities, so-called intermediate certificates. This transfers the
trust from the root certificate to the intermediate certificate. An intermediate certificate can
sign a certificate just like a root certificate; both are therefore referred to as "CA certificates".
This hierarchy can be continued over multiple intermediate certificates until the end-entity
certificate. The end-entity certificate is the certificate of the user who is to be identified.
The validation process runs through the hierarchy in the opposite direction: As described
above, the certificate issuer is established and the signature checked with the issuer's public
key, then the certificate of the higher-level certificate issuer is established along the entire
chain of trust to the root certificate.
Conclusion: The chain of intermediate certificates to the root certificate, the certificate path,
must be available in every device that is to validate an end-entity certificate of the
communication partner, irrespective of the type of secure communication that you configure.
3.6.1.4 Managing certificates with STEP 7
STEP 7 as of version V14 together with the S7-1500-CPUs as of firmware version 2.0 support
the Internet PKI (RFC 5280) in as far as an S7-1500-CPU is able to communicate with devices
that also support the Internet PKI.
The usage of X.509 certificates for verifying certificates as described in the preceding
sections, for example, is a result of this.
STEP 7 as of V14 uses a PKI similar to Internet PKI. Certificate Revocation Lists (CRLs), for
example, are not supported.
Creating or assigning certificates
You create certificates for various applications in STEP 7 for devices with security properties,
such as an S7-1500 CPU as of firmware V2.0.
The following areas in the Inspector window of the CPU allow the creation of new certificates
or the selection of existing ones:
• "Web server > Security" - for the generation and assignment of Web server certificates.
• "Protection & Security > Connection mechanisms" - for the generation or assignment of
PLC communication certificates (Secure PG/HMI communication, as of TIA Portal V17).
• "Protection & Security > Certificate manager" - for the generation and assignment of all
types of certificates. TLS certificates for Secure Open User Communication are preset for
the generation of certificates.
• "OPC UA > Server > Security" - for the generation or assignment of OPC UA server
certificates.
Communication
Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
49