The Provisioning Certificate Pool Service provides interfaces to exchange Provisioning Certificates between OEMs and MOs. For this purpose, MOs send the PCID of a Provisioning Certificate issued by the OEM and receive the appropriate Provisioning Certificate and the corresponding certificate chain.
OEMs publish their Provisioning Certificates to the pool after their generation, e.g. after the cars get manufac- tured. MOs request foreign Provisioning Certificates from the pool by PCID.
The PCP communicates with the following actors and services:
- OEM
- Mobility Operator
- Contract Certificate Pool
- OCSP Responders of the Provisioning Certificate
- Root Certificate Pool
Data Access
It is ensured that the security precautions of ISO 15118 are adhered to and that only trustworthy MOs are granted access. The exact process is defined in the Hubject Certificate Policy. In addition, no confidential OEM data such as the number of available electric vehicles can be displayed when querying the available OEM Provisioning Certificates.
For every authorized MO, access is granted to all available Provisioning Certificates in the pool.
The OEM Provisioning Certificates of each OEM will be stored in separate containers. The defined access rules prevent access to other OEM containers. Each OEM can manage (create/update/delete) only Provisioning Certificates of their company. To achieve this the client credentials of each OEM get whitelisted for a list of World manufacturer identifier (WMI) codes (see ISO 3780).
API
The Provisioning Certificate Pool offers a REST API to request registered Provisioning Certificates.
Processes
The Provisioning Certificate Pool (PCP) is involved in multiple processes across the ecosystem. In the following only direct processes are described.
Publish a Provisioning Certificate
With the production of a vehicle, the OEM must create a Provisioning Certificate for the vehicle. Each Provisioning Certificate must have an unique Provisioning Certificate Identifier (PCID). The OEM then publishes this Provisioning Certificate as well as its certification chain by sending it to the Provisioning Certificate Pool.
The PCID is the identifier for a vehicle and must match the ISO pattern PCID Format. The Provisioning Certificate Pool authorizes the OEM client based on this code. see Data Access
With the publication of a Provisioning Certificate to the pool, no information is given to the MO. Trusted MOs can only retrieve individual Provisioning Certificates if they request them through the PCID. Therefore the car customers shall also receive the PCID of their vehicles to give it to the MOs during the conclusion of a charging contract.
The required V2G root certificates shall be stored in the vehicle for the trusted communication with charging devices.
Before the storage of the Provisioning Certificate, the Provisioning Certificate Pool proceeds the following control steps:
- Verifies the PCIDs world manufacturer identifier (WMI) against the OEM accounts authorized WMI list.
- Verifies the validity date (validUntil) of each certificate from leaf to root to be in the future. (Validity shell model).
- Verifies the certificate status of each delivered certificate (leaf and chain) from it’s OCSP responders.
- Verifies the trust chain to the OEM root certificate.
The PCP responds with an corresponding error code for the first occurring error and stops the processing.
Update a Provisioning Certificate
In case an OEM needs to renew a Provisioning Certificate they may do so by sending an updated Certificate to the pool. The update process overwrites the existing Provisioning Certificate with the same PCID.
An update of a Provisioning Certificate in the pool triggers an instant push notification to all MOs subscribed to the corresponding WMI if the key pair has changed.
Delete a Provisioning Certificate
In case the Provisioning Certificate under one PCID shall be removed from the ecosystem, the OEM may delete own it from the pool. This operations triggers the Contract Certificate Pool to delete all existing Contract Certificates linked to this Provisioning Certificate.
Request a Provisioning Certificate
Before creating the Contract Data package, the MO has to request the current Provisioning Certificate by the Provisioning Certificate ID from the pool.
LookUp a Vehicle
This method can be used by the MO to determine for a given PCID if a Provisioning Certificate is available in the PCP.
Data Cleansing
The stored OEM Provisioning Certificates are checked regularly with automated processes, expired and revoked certificates will be deleted. The deletion of a provisioning certificate triggers the deletion of all connected Contract Certificates from the Contract Certificate Pool.
The Provisioning Certificate Pool watches all contained certificates on regular basis.
Process 1: A Revocation TODO from the OCSP responder of OEMs.
- If the response good or unknown, no change is necessary. If the unknown status repeated three consecutive days, the system sends an email to the Hubject Support to create an issue.
- If the response of OEM Provisioning Certificate is revoked, the OEM Provisioning Certificate Pool moves the OEM provisioning and its sub CA1 and sub CA2 certificates into the deactive container and stores it for 1 year long. After 1 year deletes automatically.
- After the deletion of OEM Provisioning Certificate, the OEM Provisioning Certificate Pool searches for contracts of this OEM Provisioning Certificate. If any contract for this OEM Provisioning Certificate is available, it deletes all contracts and sends the status to MO subscribers.
-
-
-
- The Contract Certificate Pool informs the OEM backend about revoked OEM Provisioning Certificate and deleted contracts.
-
-
-
-
-
- If the OCSP responder of an OEM Provisioning Certificate is not available, the OEM Provisioning Certificate Pool does not delete the OEM Provisioning Certificate. The OEM Provisioning Certificate will be checked next day again. This triggers an organizational process between Hubject and the responsible of OEM CA.
-
-
Process 2: If the time difference between the current time and the of the certificates NotAfter-value is < 2y, email will be sent to Hubject staff.
Controls every day at 11:15 pm (CET) validUntil attribute of each OEM Provisioning Certificate
- If it is <1 day, the OEM Provisioning Pool moves the certificate into deactive container and stores for 1 years.
- After the deletion of OEM Provisioning Certificate, the service searches for contracts of this OEM Provisioning Certificate and it deletes all contract of this OEM Provisioning Certificate.
-
- The OEM Provisioning Certificate Pool sends status to MO subscribers.
- The Contract Certificate Pool informs OEM backend and sends status.
-
If the OEM CA revokes sub CA 1 or sub CA2 certificate, the Provisioning Certificate Pool does not delete all its OEM Provisioning Certificates, and their contract data. This can cause deletion of all OEM Provisioning Certificates and contracts of an OEM, depending on PKI tree structure of OEM. For this case, an organizational process must be defined between Hubject and OEM.
PCP Interface Description
The interfaces of the Provisioning Certificate Pool are used to exchange Provisioning Certificates between the OEM and the MO. This service provides the following interfaces:
- addOEMProvCert
- deleteOEMProvCert
- getOEMProvCert
- lookupVehicle
Clients
The PCP communicates with the following actors and services.
- OEM
- Mobility Operator
- Contract Certificate Pool
- OCSP Responders of the Provisioning Certificates
- Root Certificate Pool