Siemens SIMATIC ET 200AL System Manual page 1296

Useful information: Certificate types
• Self-signed certificate:
Each device generates and signs its own certificate. Application examples: Static
configuration with limited number of communication nodes.
No new certificates can be derived from a self-signed certificate. However, you need to
load all self-signed certificates from partner devices to the CPU (STOP required).
• CA certificate:
All certificates are generated and signed by a certificate authority. Application examples:
Dynamically growing plants.
You only need to download the certificate from the certificate authority to the CPU. The
certificate authority can generate new certificates (partner devices can be added without
CPU STOP).
Signing
The signature makes it possible to prove the integrity and source of a message as detailed
below.
Signing starts with the sender creating a hash value from the plain text (plain text message).
The sender then encrypts the hash value with its private key and subsequently transfers the
plain text together with the encrypted hash value to the recipient. To verify the signature, the
recipient needs the public key of the sender (this is contained in the X509 certificate of the
sender). The recipient uses the sender's public key to decrypt the hash value received. The
recipient then forms the hash value themselves from the plain text received (the hash
process is contained in the sender's certificate). The recipient compares the two hash values:
• If the two hash values are identical, the plain text message has reached the receiver
unchanged and has not been manipulated.
• If the two hash values do not match, the plain text message has not reached the receiver
unchanged. The plain text message has been manipulated or has been distorted during
transfer.
Encryption
Encrypting data prevents unauthorized parties from reading the content. X509 certificates
are not encrypted; they are public and can be viewed by anyone.
Encryption involves the sender encrypting the plain text message with the public key of the
recipient. To do so, the sender requires the recipient's X509 certificate, as it contains the
public key of the recipient. The recipient decrypts the message with their private key. Only
the recipient can decrypt the message: They alone hold the private key. The private key must
therefore never be disclosed.
Communication
Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
175