To secure data exchange with a partner, different applications and communication functions of the CPU use device certificates that are managed specific to the application. In the case of the device certificate for the web server, this involves a web server certificate.
Managing certificates via TIA Portal
Creating and assigning a Web server certificate
Operation of the Web server using the secure transfer protocol "HTTPS" requires a valid Web server certificate.
For SIMATIC S7 1500 CPUs with firmware V2.0 and higher, you have to create the Web server certificate of the CPU yourself using STEP 7 and assign it to the Web server in the properties of the CPU. This certificate is also downloaded to the CPU automatically when the hardware configuration is downloaded.
Note
If you update the firmware of a SIMATIC S7 1500 CPU or ET 200SP CPU with a firmware version < V2.0 to a firmware version ≥ V2.0, a valid Web server certificate is automatically generated and used. The same applies to the replacement parts scenario in which a newer CPU replaces a CPU with firmware version < V2.0.
If you update or replace an already configured CPU, a valid Web server certificate is automatically generated and used for CPUs with a firmware version ≤ V1.8.
You can create different Web server certificates:
·If you use the global security settings for the certificate manager, the certification authority of the project (CA certificate) signs the device certificate of the Web server. During loading, the CA certificate of the project is automatically loaded as well.
·If you do not use the certificate manager in the global security settings, STEP 7 generates the device certificate as a self-signed certificate.
NOTICE
Utilizing the full functionality of the Web server
A valid CA-signed Web server certificate in the CPU is a requirement for the following functions:
· User management with password-protected users
· Saving and downloading diagnostic information in csv files
· Backup and restore of security-related functions such as the configuration of the CPU
To use the full functionality of the Web server, we therefore recommend you activate the global security settings of the certificate manager, create a CA-signed Web server certificate and assign it to the CPU.
Creating a self-signed Web server certificate
To create a self-signed Web server certificate with TIA Portal, follow these steps:
1. In the Inspector window Properties of the CPU, "General" tab, navigate to the "Web server > Security" area.
2. Click the "Add" button in the drop-down list to select a certificate. The "Create a new certificate" dialog opens.
3. Select the "Self-signed" check box in the follow-up dialog.
4. Enter the parameters for the new certificate or confirm the default settings.
o Select "Web server" in the "Usage" box.
o Enter the IP address(es) of the interface(s) or the domain name of the configured CPU in the "Subject Alternative Name" field.
5. Click "OK" to confirm.
6. Compile and load the configuration into the CPU. The device certificate of the Web server is a component of the configuration.
Creating and assigning a CA-signed Web server certificate
To create a CA-signed Web server certificate with TIA Portal, follow these steps:
1. Protect your project with the security settings "Protect this project".
The "Security functions" appear in the project tree.
2. In the "General" tab of the Properties of the CPU Inspector window, navigate to the "Protection & Security > Certificate Manager" area and select the "Use global security settings for certificate manager" option.
Note
For managing certificates with the global security settings, you require the "Configure security" configuration permission.
3. Log in as a user in the project tree in the "Security settings" section. The "Administrator" role is the default for the first logon for a new project.
4. In the Inspector window Properties of the CPU, "General" tab, navigate to the "Web server > Security" area.
5. Click the "Add" button in the drop-down list to select a certificate. The "Create certificate" dialog opens.
6. In the follow-up dialog, select the "Signed by certificate authority" check box and select the certificate authority from the drop-down list.
7. Enter the parameters for the new certificate or confirm the default settings.
o Select "Web server" in the "Usage" box.
o Enter the IP address(es) of the interface(s) or the domain name of the configured CPU in the "Subject Alternative Name" field.
8. Click "OK" to confirm.
9. Compile and load the configuration in the CPU. The device certificate of the Web server and the CA certificate are components of the configuration.
NOTICE
Addressing the Web server of the CPU via domain names
If you enter the IP address(es) of the interface(s) of the configured CPU in the "Subject Alternative Name" field, the generated certificate may not be accepted by all Internet browsers. In addition, you must generate and load a new Web server certificate (end entity certificate) with each change of the IP address of an Ethernet interface of the CPU, since the identity of the CPU changes with the IP address.
You can avoid this problem by addressing the Web server of the CPU using domain names instead of IP address(es), e.g. "myconveyer-cpu.room13.myfactory.com". For this purpose, you have to manage the domain names of your CPU via a DNS server. Addressing via domain names is recommended especially for a configuration with reception of the IP address from a DHCP server, as in this case the assigned IP address is not known beforehand.
More information
For detailed information on local self-signed and global CA-signed certificates, on the "Public Key Infrastructure" (PKI) and on certificate management, refer to the Communications Function Manual and to the STEP 7 online help, keyword "Secure Communication".
The application example "The use of certificates with the TIA Portal" includes detailed instructions on how to create a secure connection to the Web server of a SIMATIC S7-1500 CPU.
Managing certificates in runtime
If you manage certificates via the TIA Portal, load a certificate together with the hardware configuration into the CPU. To do this, the CPU must be in STOP mode. You cannot load a new certificate or renew an existing certificate without a RUN-STOP-RUN transition.
If you manage certificates at runtime of the CPU, loading or updating a certificate is also possible in RUN mode.
Managing the web server certificate during the CPU runtime
As of firmware version V3.0, it is also possible to transfer web server certificates to the CPU during runtime via the GDS server using OPC UA methods. The GDS server is part of the OPC UA server in the CPU. Through GDS push management functions, you can automatically update OPC UA certificates for the OPC UA server of the S7-1500 CPU.
You can find detailed information about the concept of automated certificate management with GDS (Global Discovery Services) in the Communication Function Manual.
Setting the type of certificate management
In the "Protection & Security" > "Certificate manager" category on the "General" tab of the "Properties" Inspector window, select how you want to handle certificates.
Configuration of the certificate manager
If you want to submit certificates via GDS at runtime, click the option "Use certificates provided by the certificate management during runtime".
By selecting the "Enable system diagnostics event for certificate expiration" button, you specify that you want to be notified when a certificate expires. In the input field "Show event at remaining certificate validity period of:" enter a percent value. At the time this value is reached, the CPU triggers a system alarm with a maintenance request.
Example: The certificate transferred via GDS on 01/06/2022 has a validity from 01/06/2022 to 30/06/2022 (30 days). You have input a percent value of 10 for the diagnostics event. On 27/06/2022, after 90% of the validity period has expired, the system diagnostics alarm reports that the transmitted certificate will expire on 30/06/2022.
Regardless of the configured percentage value, a message appears in any case when the validity period of a certificate expires.
Note
Time settings in the CPU
In order for the CPU to detect the expiration of a certificate, you must set the system time to Coordinated Universal Time (UTC). An incorrect system time can lead to incorrect messages regarding the expiration of certificates.
In the lower area of the "Certificate manager" category in the table, you can find a list of all CPU applications with certificates you may transfer to the CPU at runtime. In the list, the CPU applications are assigned an ID. Under the "Folder for certificate repository at runtime" column, you can find the changeable name of the certificate group.
Handling of existing certificates during loading
Before you load a project into the CPU, you may determine in the "Load preview" dialog window what should happen with the certificates of the CPU received at runtime.
As of firmware version V3.0, you can use the "Delete selected" option to delete certificates of selected CPU applications.
Deleting certificates
留言