Siemens SIMATIC ET 200AL System Manual page 1174

Therefore the CA certificates required to verify the transmitted device certificate must be
located in the certificate memory of the respective communication partner.
Note
The current date/time must be set in the CPU.
When using secure communication (for example, HTTPS, secure OUC, OPC UA), make sure
that the corresponding modules have the current time of day and the current date.
Otherwise, the modules will evaluate the certificates used as invalid and secure
communication will not work.
Secure Open User Communication between two S7-1500 CPUs
Two S7-1500-CPUs, PLC_1 and PLC_2, are to exchange data with each other via Secure Open
User Communication.
You generate the required device certificates with STEP 7 and assign them to the CPUs as
described below.
STEP 7 project certificate authorities (CA of the project) are used to sign the device
certificates.
The certificates are to be referenced by their certificate ID in the user program (TCON
communication instruction in combination with the associated system data type, for example
TCON_IPV4_SEC). STEP 7 assigns the certificate ID automatically during the generation or
creation of certificates.
Procedure
STEP 7 automatically loads the required CA certificates together with the hardware
configuration to the participating CPUs so that the requirements for certificate verification
exist for both CPUs. You therefore only have to generate the device certificates for the
respective CPU; STEP 7 does the rest for you.
1. Mark PLC_1 and activate the "Use global security settings for certificate manager" option in
the "Protection & Security" section.
2. Log in as a user in the project tree in the "Global security settings" section. For a new project,
the "Administrator" role is planned for the first login.
3. Return to the PLC-1 in the "Protection & Security" section. Click in an empty line in the
"Certificate subject" column in the "Device certificates" table to add a new certificate.
Communication
Function Manual, 05/2021, A5E03735815-AJ
Communications services
3.6 Secure Communication
53