A certificate consists of a public element and a private key.
The private key is installed on the PLC as part of the hardware download.
A master password can be set to protect further security-relevant changes such as the replacement of the certificate.
The public key of the certificate must be provided to all clients, which need to connect to the PLC (like the software loader sld).
This public key is used by the client during connection establishment (as sketched in the picture below) to check against the certificate received from the PLC.
The picture below shows a simple scenario, where SIMATIC AX Tools have a public part of the self-signed certificate (blue) of PLC_1 but not to the certificate (green) of the PLC_2, so it can trust automatically the PLC_1 but not to the PLC_2.