Siemens SIMATIC ET 200AL System Manual page 1314

Request of a valid server certificate
A valid server certificate receives the OPC UA server of the CPU in the following steps:
1. A certificate manager (OPC UA client) calls the "CreateSigningRequest" method to request a
server certificate with a Certificate Signing Request (CSR).
2. This CSR must be signed by a Certificate Authority (CA).
3. The signed CSR must then be transferred back to the OPC UA server on the CPU as a server
certificate.
The OPC UA server of the CPU makes this method available if the client has the required
function right "Manage certificates".
The "CreateSigningRequest" method allows for the following variants:
• Certificate update without creating a new key pair (internal CPU keys that are already
available are used)
• Certificate update with creation of a new key pair (CPU-internal)
There is also the possibility to generate certificates with externally created key pairs.
NOTICE
Recommended procedure to generate certificates
Transport of private keys should be avoided; a private key should not leave a device.
We, therefore, recommend the generation of a certificate without creating a new key pair or
with the creation of a key pair inside the CPU.
Create certificate without key pair
• The "CreateSigningRequest" method returns a Certificate Signing Request (CSR), that is, a
file (*.csr) with specific information on the server, for example, application name and URL.
• Outside of the CPU, this CSR must be validated and signed by a Certificate Authority (CA)
and returned as a server certificate.
• The server certificate must then be transferred ("pushed") to the CPU using the
"UpdateCertificate" method.
The key does not leave the CPU in this scenario.
Communication
Function Manual, 05/2021, A5E03735815-AJ
OPC UA communication
9.2 Security at OPC UA
193