Communications services
3.6 Secure Communication
Communication
50 Function Manual, 12/2017, A5E03735815-AF
STEP 7 automatically loads the required CA certificates together with the hardware
configuration to the participating CPUs so that the requirements for certificate verification
exist for both CPUs. You therefore only have to generate the device certificates for the
respective CPU; STEP 7 does the rest for you.
1. Mark PLC_1 and activate the "Use global security settings for certificate manager" option
in the "Protection & Security" section.
2. Log in as a user in the project tree in the "Global security settings" section. For a new
project, the "Administrator" role is planned for the first login.
3. Return to the PLC-1 in the "Protection & Security" section. Click in an empty line in the
"Certificate subject" column in the "Device certificates" table to add a new certificate.
4. In the drop-down list for selecting a certificate click the "Add" button.
The "Create Certificate" dialog opens.
5. Leave the default settings in this dialog. They are tailored to the usage of Secure Open
User Communication (usage: TLS).
Tip: Supplement the default name of the certificate subject, in this case the CPU name. In
order to differentiate you better leave the default CPU name in case you have to manage
a large number of device certificates.
Example: PLC_1/TLS becomes PLC_1-SecOUC-Chassis17FactoryState.
6. Compile the configuration.
The device certificate and the CA certificate are part of the configuration.
7. Repeat the steps described above for PLC_2.
In the next step you have to create the user programs for the data exchange and load the
configurations together with the program.
Using self-signed certificates instead of CA certificates
When creating device certificates you can select the "Self-signed" option. You can create
self-signed certificates without being logged in for the global security settings. This
procedure is not recommended because the resulting certificates do not exist in the global
certificate memory and can therefore not be assigned directly to a partner CPU.
As described above you should select the name of the certificate subject with care so that
the right certificate can be assigned to a device without any doubt.
Verification with the CA certificates of the STEP 7 project is not possible for self-signed
certificates. To ensure that self-signed certificates can be verified you have to include the
self-signed certificates of the communication partner into the list of trusted partner devices
for each CPU. To this purpose you must have activated the "Use global security settings for
certificate manager" option and be logged in as a user in the global security settings.
To Next Page
Loading...
