The CPMS must be able to install ISO 15118 certificates (such as the EVSE Leaf Certificate and V2G-/ or MO-Roots) within charging points that are connected to the CPMS, respectively Charging-Network.
This process describes the signing of a CPO CSR with the Hubject CPO Sub 2 CA, which is performed (automatically) by the CPMS of the CPO and the delivery to the Charging Point.
The process is done in three steps:
- Charging point creates Certificate Signing Request (CSR), sends the CSR to the CPMS via OCPP 1.6/2.0 with Plug&Charge. CPMS forward the CSR to Hubject PKI Services via Enrollment over Secure Transport (EST)(simpleenroll). CPMS gets signed Certificate back and stores it.
- CPMS requests the Certificate Chain of the just enrolled EVSE Leaf Certificate via EST (CAcerts) and stores it together with the EVSE Leaf Certificate.
- CPMS installs the EVSE Leaf Certificate, including the Chain of the EVSE Leaf Certificate, within the charging point.
Since the PKI-Interfaces of the Open Plug&Charge Protocol (OPCP) are following the RFC 7030 specifications, the SimpleEntroll and caCerts interface deliver back a container to the requester (CPMS). However, the EVSE will expect a string containing PEM files. This means the CPMS must perform two independent requests and extract PEMs out of the containers and rearrange the single PEMs to the mentioned structure bellow:
EVSE/SECC Leaf Certificate
CPO SUB2 CA
CPO SUB1 CA
Step by Step explanation:
Perform caCerts call and obtain the container
Extract Sub1 CA out of the container and store it as PEM
Extract Sub2 CA out of the container and store it as PEM “on top” or “above” of the Sub1 CA
Perform simpleEnroll using the CSR received by the EVSE
Extract the leaf PEM out of the container
Store it as PEM “on top” or “above” the Sub2-/ and Sub1-CA stack.
Discard the container
Safe the string and make sure to double escape the line brakes inside the string.
You should now have a stack of three PEM certificates, beginning with the leaf followed by Sub2 CA and Sub1 CA, wrapped into a OCPP DataTransfer message.