As a PKI provider, verifying the identity associated with the Common Name is a critical part of the certificate issuance process.
To ensure a smooth and secure certificate signing experience, we require that Common Names be registered in our certificate authority. This registration process is essential as it allows us to conduct thorough checks and validation, ensuring that certificates are only issued to the rightful owners. If a Common Name is not registered in our certificate authority, the request for signing a certificate may be denied, thus maintaining a robust security posture.
Getting ready
We adhere to ISO requirements, which dictate that different roles must have specific IDs attached to their Common Names. The first components of these IDs are attached to the credential used to access the endpoints, so it needs to be set beforehand:
- Mobility Operators (MO) are identified by their EMAID (e-Mobility Account Identifier). The first five characters of the Common Name represent the country code and provider ID and are attached to the credentials used to access the endpoints.
- Charge Point Operators (CPO) are distinguished by their EVSE/SECC ID (Electric Vehicle Supply Equipment/Supply Equipment Communication Controller). The first five characters of the Common Name represent the country code and operator ID. This is attached to the credential.
- Original Equipment Manufacturers (OEM) are identified by their PCID (Provisioning Certificate Identifier). The first three characters of the Common Name represent the WMI (World Manufacturer Identifier) of the manufacturer. It's attached to the credential.
Typically, during the initial onboarding process, the credentials are configured, incorporating the aforementioned components. However, it is crucial to keep us informed in the event of any changes or additions to the ProviderID, OperatorID, or WMI. This ensures that we can promptly update the used credentials and avoid potential blockages of certificate signing requests.
For Charge Point Operators (CPO) the initial step is to share all relevant operator IDs with the onboarding team. Once these Operator IDs are recorded from Hubject, the CPO may use the Registration Authority APIs to register their common names.
In the future, in the event of any newly added Operator IDs to the CPO network (i.e such as a subCPO), all new Operator IDs, their EVSE IDs, and relevant security information, such as the hardware used must be shared as soon as possible. This information must be sent to the Plug & Charge team via email at support@pnc.hubject.com. The common name registration may follow afterwards.
Our Registration Authority endpoints have been purposefully implemented to streamline the registration process. With these endpoints, users can easily register, verify, and manage their EVSE/SECC IDs. This user-friendly approach enhances the overall experience and simplifies certificate management, ensuring secure and efficient deployment for all stakeholders.
Access to the APIs is granted to the relevant endpoints with the daily environment bearer access token authorization.
By adhering to these rigorous identity verification processes and implementing user-friendly tools, we strive to maintain the highest standards of security and user satisfaction as a trusted PKI provider.
Interfaces
In total five interfaces are available for the process:
PutCpo
This endpoint allows registration of the common names at the Hubject PKI Gateway for a specific role by passing the common names in an array of string objects.
PUT Request at {{envURL}}/v1/vra/cpo/endEntities
Seven attributes are required in the body of the call:
{
"commonName": "string",
"manufacture": "string",
"deviceName": "string",
"deviceSWVersion": "string"
"evseSerialNumber": "string"
"evseID": array["string"]
"evseISOversion": "string"
"ocppVersion": "string"
"chargeBoxSerialNumber": "string"
}- commonName (Required): CommonName which needs to be registered. Please note that the following REGEX applies:
^(([a-zA-Z]{2}\-?[a-zA-z0-9]{3}\-?[S]\-?[a-zA-Z0-9]{32,59})\-?[0-9]?|([a-zA-Z]{2}\*?[a-zA-Z0-9]{3}\*?[E][a-zA-Z0-9*]{1,59}))$
- manufacture (Required): Manufacture of the EVSE or EVCC, e.g. Alpitronic, ABB, Tritium etc;
- deviceName (Required): Model of the EVSE or EVCC, e.g. for EVSE: HYC300;
- deviceSWVersion (Required): Version of the software install in the EVSE or EVCC;
evseSerialNumber (Required): Serial number of the EVSE.
- evseID (Required): Array of EVSEIDs;
- evseISOVersion: ISO version supported by the EVSE;
- ocppVersion (Required): OCPP version supported by the EVSE;
- chargeBoxSerialNumber: Serial number of the charge box;
With a successful response you will receive the following attributes:
Registration response Schema:
{
"commonName": "string",
"registeredDate": "string",
"userName": "string",
"ca": "string",
"stage": "string",
"manufacture": "string",
"deviceName": "string",
"deviceSWVersion": "string"
"evseSerialNumber": "string"
"evseID": array["string"]
"evseISOversion": "string"
"ocppVersion": "string"
"chargeBoxSerialNumber": "string"
}- commonName: commonName which was registered;
- registeredDate: date when the ID was registered;
- userName: Name of the credential responsible for the registration;
- ca: Relevant certificate authority for the role CPO, MO, OEM, CPS;
- stage: QA or PROD;
- manufacture: Given manufacture of the EVSE or EVCC;
- deviceName: Given Model of the EVSE or EVCC;
- deviceSWVersion: Given software version of the registered EVSE or EVCC;
evseSerialNumber (Required): Serial number of the registered EVSE.
- evseID: Array of registered EVSEIDs;
- evseISOVersion: ISO version supported by the registered EVSE;
- ocppVersion (Required): OCPP version supported by the registered EVSE;
- chargeBoxSerialNumber: Serial number of the registered EVSE's charge box ;
UpdateCpo
This endpoint allows update to the attributes of an existing registered common name. “commonName” is a required attribute in the update request body.
POST request at {{envURL}}/v1/vra/cpo/endEntities
Any relevant attributes may be updated in the request body, following the same schema as the PUT request. This request will overwrite all attributes of that specified common name, according to values posted via the request body of the UpdateCpo request.
GetAllCpoByUserName
This endpoint is used to list all common names and their information recorded in the Registration Authority.
GET request at {{envURL}}/v1/vra/cpo/endEntities
No parameter or body are required for this request, and as a response the user will receive an array of registered item following the registration response schema.
GetACpoByUserNamePages
This endpoint facilitates the retrieval of all Common Names and their associated information stored in the Registration Authority using a pagination format.
GET request at {{envURL}}//v1/vra/cpo/endEntities/offset={offset}/pageSize={pageSize}
By providing the following parameters as integers:
offset: specifying the desired page to be displayed;
pageSize: indicating the number of items per page;
the user will receive an array of items adhering to the registration response schema.
GetCpo
This endpoint is used to check if a specific common name is recorded in the Registration Authority.
GET request at {{envURL}}/v1/vra/cpo/endEntities/{commonName}
By passing the common name as a parameter, the user can check if the common name is registered and receive the registered information following the registration response schema.
DeleteCpo
This endpoint is used to delete a specific common name from the Registration Authority for a by passing the common names as a parameter.
DEL request at {{envURL}}/v1/vra/cpo/endEntities/{commonName}
Please note that if an existing common Name is deleted, no leaf certificates can be issued for it until the common name has been registered again (for example, if you need to issue a new certificate in the case of the existing certificate for that common name expiring).
Error Handling
Error Response Schema:
-
Properties:
- errorMessages Array(string): An array of error messages
- traceId (string, UUID format): A unique identifier for tracing the error.
Responses:
-
200: OK
- Schema: Registration response;
-
400: Bad Request
- Schema: Error;
- Description: Invalid request or parameters;
-
401: Unauthorised
- Schema: Error;
- Description: Invalid token was presented;
-
500: Internal Server Error
- An internal error occurred in the server.
The interface above mentioned can be found in the Postman collection available here.