Certificate Signed
Source: OCPP 1.6 Security Whitepaper Edition 2 (2020-03-31) — Use Cases A02 / A03 (Update Charge Point Certificate), Sections 5.1 / 5.2 (Messages)
Overview
CertificateSigned.req is sent by the Central System to the Charge Point to deliver a Charge Point client-side certificate that has been signed by a Certificate Authority. It is used in both certificate-update use cases:
- A02 — Update Charge Point Certificate by request of Central System: the CSMS triggers the CP via
ExtendedTriggerMessage.req(SignChargePointCertificate), the CP replies withSignCertificate.req(csr), the CSMS forwards the CSR to the CA, and finally returns the signed certificate to the CP viaCertificateSigned.req. - A03 — Update Charge Point Certificate initiated by the Charge Point: the CP detects that its certificate is about to expire, sends
SignCertificate.reqon its own initiative, and the CSMS returns the signed certificate viaCertificateSigned.req.
The Charge Point SHALL verify the signed certificate (validity period, certificate properties, CPO certificate hierarchy). If invalid, the certificate SHALL be discarded and an InvalidChargePointCertificate security event SHALL be triggered. If valid, the CP SHALL switch to the new certificate as soon as Not valid before is reached.
NOTE:
CertificateSigned.reqis for the Charge Point's own signed public certificate (returned from the CA). It is not for installing root/CA certificates — useInstallCertificate(M05) for that.
Sequence Diagram
Figures 5 / 6. Update Charge Point Certificate
Central System ──── CertificateSigned.req ────▶ Charge Point
(certificateChain)
Verify validity of signed certificate
Central System ◀─── CertificateSigned.conf ──── Charge Point
(status)
Initiator
Central System → Charge Point
Fields
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| certificateChain | string [0..10000] | 1..1 | Required. The signed PEM-encoded X.509 certificates. This can also contain the necessary sub-CA certificates. The maximum size of this field MAY be limited by the configuration key CertificateSignedMaxChainSize. |
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| status | CertificateSignedStatusEnumType | 1..1 | Required. Returns whether certificate signing has been accepted, otherwise rejected. |
CertificateSignedStatusEnumType values
Accepted— Signed certificate is valid.Rejected— Signed certificate is invalid.
Examples
{
"certificateChain": "-----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIE...\n-----END CERTIFICATE-----"
}{
"status": "Accepted"
}Related Configuration Keys
CertificateSignedMaxChainSize— Maximum size of thecertificateChainfield (max 10,000).CpoName— Used by the CP in the CSR organizationName (O) RDN.
Schema
Source:
schemas/CertificateSigned.json,schemas/CertificateSignedResponse.json(OCPP 1.6 Security Whitepaper, JSON Schema draft-06)