Communications services
3.6 Secure Communication
Communication
Function Manual, 11/2019, A5E03735815-AH
43
Chain of certificates to root certificate
The certificates of a PKI are often organized hierarchically: The top of the hierarchy is
formed by root certificates. Root certificates are certificates that are not signed by a higher-
level certificate authority. The certificate subject and certificate issuer of root certificates are
identical. Root certificates enjoy absolute trust. They form the "anchor" of trust and must
therefore be known to the receiver as trusted certificates. They are stored in an area
provided for trusted certificates.
Depending on the PKI, the function of root certificates is, for example, to sign certificates
from lower-level certificate authorities, so-called intermediate certificates. This transfers the
trust from the root certificate to the intermediate certificate. An intermediate certificate can
sign a certificate just like a root certificate; both are therefore referred to as "CA certificates".
This hierarchy can be continued over multiple intermediate certificates until the end-entity
certificate. The end-entity certificate is the certificate of the user who is to be identified.
The validation process runs through the hierarchy in the opposite direction: As described
above, the certificate issuer is established and the signature checked with the issuer's public
key, then the certificate of the higher-level certificate issuer is established along the entire
chain of trust to the root certificate.
Conclusion: The chain of intermediate certificates to the root certificate, the certificate path,
must be available in every device that is to validate an end-entity certificate of the
communication partner, irrespective of the type of secure communication that you configure.
3.6.4 Managing certificates with STEP 7
STEP 7 as of version V14 together with the S7-1500-CPUs as of firmware version 2.0
support the Internet PKI (RFC 5280) in as far as an S7-1500-CPU is able to communicate
with devices that also support the Internet PKI.
The usage of X.509 certificates for verifying certificates as described in the preceding
sections, for example, is a result of this.
STEP 7 as of V14 uses a PKI similar to Internet PKI. Certificate Revocation Lists (CRLs), for
example, are not supported.
To Next Page
Loading...
Need help?
General
