The CPMS must be able to install ISO 15118 certificates (such as the EVSE Leaf Certificate and V2G-/ or MO-Roots) within charging points that are connected to the CPMS, respectively Charging-Network.
This process describes the signing of a CPO CSR with the Hubject CPO Sub 2 CA, which is performed (automatically) by the CPMS of the CPO and the delivery to the Charging Point.
The process is done in three steps:
- Charging point creates Certificate Signing Request (CSR), sends the CSR to the CPMS via OCPP 1.6/2.0 with Plug&Charge. CPMS forward the CSR to Hubject PKI Services via Enrollment over Secure Transport (EST)(simpleenroll). CPMS gets signed Certificate back and stores it.
- CPMS requests the Certificate Chain of the just enrolled EVSE Leaf Certificate via EST (CAcerts) and stores it together with the EVSE Leaf Certificate.
- CPMS installs the EVSE Leaf Certificate, including the Chain of the EVSE Leaf Certificate, within the charging point.
Since the PKI-Interfaces of the Open Plug&Charge Protocol (OPCP) are following the RFC 7030 specifications, the SimpleEntroll and caCerts interface deliver back a container to the requester (CPMS). However, the EVSE will expect a string containing PEM files. This means the CPMS must perform two independent requests and extract PEMs out of the containers and rearrange the single PEMs to the mentioned structure bellow:
EVSE/SECC Leaf Certificate CPO SUB2 CA CPO SUB1 CA |
Step by Step explanation:
-
Perform caCerts call and obtain the container
-
Extract Sub1 CA out of the container and store it as PEM
-
Extract Sub2 CA out of the container and store it as PEM “on top” or “above” of the Sub1 CA
-
IgnoreRootCAanddiscardthecontainer
-
Perform simpleEnroll using the CSR received by the EVSE
-
Extract the leaf PEM out of the container
-
Store it as PEM “on top” or “above” the Sub2-/ and Sub1-CA stack.
-
Discard the container
-
Safe the string and make sure to double escape the line brakes inside the string.
You should now have a stack of three PEM certificates, beginning with the leaf followed by Sub2 CA and Sub1 CA, wrapped into a OCPP DataTransfer message.