The Root Certificate Pool is used for communication between the Root Certificate Pool and the various Certificate Authorities of ISO 15118 participants (V2G, OEM, MO). The Root Certificate Pool provides root certificates for ISO 15118 participants. The stored root certificates are checked regularly with automated processes and expired, or revoked certificates are deleted. The storage of root certificates is executed manually by Hubject administrators.
Other systems of the Hubject PnC Ecosystem use this pool as the mutual trust store.
API
The root certificate pool offers a REST API to request registered root certificates.
Processes
The root certificate pool is involved in multiple processes across the ecosystem. In the following only direct processes are described.
Deliver Root Certificates
The delivery of root certificates of the OEM, V2G, MO, and possibly PE-CAs to the Hubject Root Certificate Pool is an organisational process, which can be proceeded by different methods, like signed email, SFTP, OFTP2 or similar methodologies. After approval the new root certificates are added to the root certificate pool by Hubject. Therefore the PUT interface of the pool is restricted for authorized administrative use only.
Request Root Certificates
All participants of the PKI may request root certificates published in the RCP. The connected systems may request the list of certificates on regular basis.
Data Cleansing
The Root Certificate Pool watches all contained root certificates on regular basis. If the time difference between the current time and the of the certificates NotAfter-value is < 2y, email will be sent to Hubject staff.
Additional Notes:
If the Root CA revokes a root certificate, Hubject does not delete all its certificates, and their contract data. This can cause deletion of all OEM provisioning certificates and contracts of an OEM. For this case, an organizational process must be defined between Hubject and the respective OEM.
Until the delivery of a new OEM root certificate, it will not be possible to send any new OEM provisioning certificate. Because the validation of the trust chain of OEM provisioning certificate cannot be proceeded.
RCP Interface Description
All stakeholders participating at the ecosystem can use these interfaces for receiving root certificates of other participants.
This service provides the following interfaces:
- getAllRootCertificates
- getRootCertificate (deprecated)
- publishRootCertificate (Admin)
Clients
The following client roles and systems access the RCP:
- Hubject PnC Ecosystem
- OEMs
- MOs
- CPOs
- PE-CA