The CCP stores the signed contract data of the MOs and provides it to the CPO and OEM backend. The CPO backend can request signed contract data in the form of certificateIntallationRequest, which is defined in ISO 15118-2:2014. It also provides signed contract data to the OEM backend.
By the CPS, the signed contract data will be stored in CCP and assigned to their respective PCID. In the CCP, it is possible to store multiple contracts for each vehicle.
The CCP keeps the contracts of each MO separate, the defined access rules prevent the MO to have access to a contract that is not theirs. Each MO can manage (create/update/delete) only contracts of their own company.
The Hubject administration creates a node for each MO after the confirmation of the provider ID by the issuing authority.
API
The Contract Certificate Pool offers a REST API to request registered Provisioning Certificates.
The contract certificate Pool has different methods for the different roles:
MO: The mobility Operator can add Contract Data by the CPS or by calling AddSignedContractData on CCP (this will only be used when the MO used the CreateSignedContractData on CPS). It can also delete a contract certificate from the pool by calling DeleteSignedContractData passing the EMAID as a parameter.
CPO: The CPO can receive the CertificateInstallationResponse by calling the method GetSignedContractData passing the CertificateInstallationRequest as a parameter.
OEM: The OEM can receive the CertificateInstallationResponse by calling the method ProvideSignedContract- Data passing the EMAID and PCID as a parameter.
The blue Dotted endpoint is part of the callback interface, see Hubject Webhook Service. The Consumer can also receive the contract certificate by calling two other methods:
LookupContract: where the consumer can check if the contract certificate is present on the pool and, it will also receive information about the contract (PCID, EMAID, Valid From and Valid To) and the certificate on .PEM format.
GetContracts: the consumer can receive at once all the contract certificates available on the pool for the PCID inserted on the parameters.
Data Cleansing
QA and Prod Stage
The Contract Certificate Pool proceeds the following batch processes:
- Every day at 11:30 pm (CET), controls the validity of contract certificates from OCSP responders of MOs.
-
-
- If response good or unknown, no change is necessary. If the unknown status repeated three consecutive days, the system sends an email to the Hubject Support to create an issue.
- If response of contract certificate is revoked, the Contract Certificate Pool moves the contract certificate into the unactive container and stores it for 1 year long. After 1 year it will be deleted automatically.
-
- After the deletion of the contract certificate, the CCP sends the status to MO subscriber.
- The CCP informs OEM backend about revoked contract.
-
-
- Controls every day at 11:45 pm (CET), validUntil attribute of each contract certificate.
-
- If it is <1 day, the CCP moves moves contract into the unactive container and stores for 1 years.
-
- The Contract Certificate Pool sends status to MO subscribers.
- The Contract Certificate Pool informs OEM backend and sends status.
- The Contract Certificate Pool sends status to MO subscribers.
-
- If it is <1 day, the CCP moves moves contract into the unactive container and stores for 1 years.
-
If the MO CA revokes a MO sub CA 1 or sub CA2 certificate, the Provisioning Certificate Pool does not delete all its contracts. This can cause deletion of all contracts of a MO, depending on PKI tree structure of MO. For this case, an organisational process must be defined between Hubject and the MO.
CCP Interface Description
The interfaces of the Contract Certificate Pool (CCP) are used to request the provisioning of Contract Data. It accepts Contract Data signed by a CPS. Optionally the data can be forwarded to the CCP directly by the CPS.
This service provides the following interfaces:
- addSignedContractData
- deleteSignedContractData
- getSignedContractData
- provideSignedContractData
- lookupContract
- getContracts
Clients:
The CCP communicates with the following actors and services.
- The Mobility Operator calls the CCP API actively to send Signed Contract Data.
- The Contract Provisioning Service forwards Signed Contract Data to the Pool.
- The OEM and CPO both send CertificateInstallationRequests to receive CertificateInstallationResponses.
- OCSP Responders of the Contract Certificates
- Root Certificate Pool.