Handling Of The Client Certificates Of The S7-1500 Cpu - Siemens SIMATIC ET 200AL System Manual

OPC UA communication
9.4 Using the S7-1500 CPU as an OPC UA client
9.4.9.2

Handling of the client certificates of the S7-1500 CPU

Where does the client certificate come from?
If you are using the OPC UA client of an S7-1500 CPU (OPC UA client enabled), you can create
certificates for these clients with STEP 7 V15.1 and higher as described in the following
sections.
When you use UA clients from manufacturers or the OPC Foundation, a client certificate is
generated automatically during installation or upon the first program call. You have to import
these certificates with the global certificate manager in STEP 7 and use them for the
respective CPU.
If you program an OPC UA client yourself, you can generate certificates through the program.
Alternatively, you can generate certificates with tools, for example with OpenSSL or the
certificate generator of the OPC Foundation:
• The procedure for OpenSSL is described here: "Generating PKI key pairs and certificates
yourself (Page 179)".
• Working with the certificate generator of the OPC Foundation is described here: "Creating
self-signed certificates (Page 178)".
Certificate of the OPC UA client of the S7-1500 CPU
A secure connection between the OPC UA server and an OPC UA client is only established if
the server classifies the certificate of the client as trusted.
Therefore you have to make the client certificate known to the server.
The following sections describe how you can initially generate a certificate for the OPC UA
client of the S7-1500 CPU and then make it available to the server.
1. Generate and export a certificate for the client
For a secure connection you have to generate a client certificate and - if the server and client
are located in different projects - export the certificate.
If client and server are in the same project, exporting the client certificate and subsequent
import are not necessary.
Requirements
The IP interface of the CPU is configured, an IP address is available.
Background: The IP address under which the CPU can be accessed in your system is entered
under "Subject Alternative Name (SAN)".
Creating an OPC UA Client certificate
The easiest way to generate a client certificate for an S7-1500 CPU is to configure a client
interface.
The configuration of the client interface provides for the selection or generation of a client
certificate, see Creating and configuring connections (Page 339).
344
Function Manual, 05/2021, A5E03735815-AJ
Communication