Communications services
3.6 Secure Communication
Communication
Function Manual, 12/2017, A5E03735815-AF
55
Using Web server certificates for S7-1500 CPUs, FW V2.0 or higher
For S7-1500 CPUs with a firmware version before V2.0, you were able to set "Permit access
only with HTTPS" when setting the Web server properties, without specific requirements
applying.
You did not have to handle certificates for these CPUs; the CPU automatically generates the
certificates required for the Web server.
For S7-1500 CPUs as of firmware V2.0, STEP 7 generates the server certificate (end-entity
certificate) for the CPU. You assign a server certificate to the Web server in the properties of
the CPU (Web server > Server security).
Because a server certificate name is always preset, there is no change to the easy
configuration of the Web server: You activate the Web server and activate the "Permit
access only with HTTPS" option - STEP 7 generates a server certificate with the default
name during compiling.
Irrespective of whether you use the certificate manager in the global security settings or not:
STEP 7 has all the information required to generate the server certificate.
In addition you have the possibility to determine the properties of the server certificate, for
example, the name or the validity period.
Loading the Web server certificate
The server certificate generated by STEP 7 is then automatically also loaded to the CPU
when the hardware configuration is loaded.
● If you use the certificate manager in the global security settings, the certificate authority of
the project (CA certificate) signs the server certificate of the Web server: During loading
the CA certificate of the project is loaded as well automatically.
● If you do not use the certificate manager in the global security settings, STEP 7 generates
the server certificate as a self-signed certificate.
When you address the Web server of the CPU over the IP address of the CPU, a new server
certificate (end-entity certificate) must be generated and loaded with each change in the IP
address of an Ethernet interface of the CPU. This is necessary because the identity of the
CPU changes with the IP address – and the identity requires a signature in accordance with
the PKI rules.
You can avoid this problem by addressing the CPU with a domain name instead of its IP
address, for example "myconveyer-cpu.room13.myfactory.com". For this purpose, you have
to manage the domain names of the CPU via a DNS server.
Supplying a Web browser with a CA certificate of the Web server
In the Web browser the user who accesses the websites of the CPU through HTTPS should
install the CA certificate of the CPU. If no certificate is installed, a warning is output
recommending that you do not use the page. To view this page, you must explicitly "Add an
exception".
The user receives the valid root certificate (Certification Authority) for download from the
"Intro" web page of the CPU Web server under "Download certificate".
STEP 7 offers a different possibility: Export the CA certificate of the project with the
certificate manager into the global security settings in STEP 7. Subsequently import the CA
certificate into the browser.
To Next Page
Loading...
