Install Certificate
Source: OCPP 1.6 Security Whitepaper Edition 2 (2020-03-31) — Use Case M05 (Install CA certificate in a Charge Point), Sections 5.11 / 5.12 (Messages)
Overview
The Central System uses InstallCertificate.req to install a new root/CA certificate (Central System Root or Manufacturer Root) into the Charge Point's trust store. This is not for installing the Charge Point's own client-side certificate — for that, see CertificateSigned.
Multiple certificates of the same type may be installed, except when AdditionalRootCertificateCheck is true: in that case only one CentralSystemRootCertificate (plus a temporary fallback) may be present at a time, and the new root MUST be signed by the old one it replaces.
Status semantics:
Accepted— Installation succeeded.Failed— The certificate is valid and correct, but installation failed for another reason.Rejected— The certificate is invalid/incorrect, or the maximum number of certificates (CertificateStoreMaxLength) has been reached.
When AdditionalRootCertificateCheck is true and the new Central System root is signed by the old one, the CP installs the new root and keeps the old root as a fallback. After successfully reconnecting using the new root, the fallback is removed. If the new server certificate cannot be verified using the new root, the CP falls back to the old root.
Sequence Diagram
Figure 10. Install CA certificate in a Charge Point
Central System ──── InstallCertificate.req ────▶ Charge Point
(certificateType, certificate)
Central System ◀─── InstallCertificate.conf ──── Charge Point
(status)
Initiator
Central System → Charge Point
Fields
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| certificateType | CertificateUseEnumType | 1..1 | Required. Indicates the certificate type that is sent. |
| certificate | string [0..5500] | 1..1 | Required. A PEM-encoded X.509 certificate. |
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| status | CertificateStatusEnumType | 1..1 | Required. Charge Point indicates if installation was successful. |
CertificateUseEnumType values
CentralSystemRootCertificate— Root certificate, used by the CA to sign Central System and Charge Point certificates.ManufacturerRootCertificate— Root certificate for verification of the Manufacturer certificate.
CertificateStatusEnumType values
Accepted— The installation of the certificate succeeded.Failed— The certificate is valid and correct, but there is another reason the installation did not succeed.Rejected— The certificate is invalid and/or incorrect, OR the CPO tries to install more certificates than allowed.
Examples
{
"certificateType": "CentralSystemRootCertificate",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIE...\n-----END CERTIFICATE-----"
}{
"status": "Accepted"
}Related Configuration Keys
AdditionalRootCertificateCheck— Whentrue, only oneCentralSystemRootCertificate(plus fallback) is allowed; new roots must be signed by the old one.CertificateStoreMaxLength— Maximum number of root/CA certificates installable.
Schema
Source:
schemas/InstallCertificate.json,schemas/InstallCertificateResponse.json(OCPP 1.6 Security Whitepaper, JSON Schema draft-06)