Sign Certificate
Source: OCPP 1.6 Security Whitepaper Edition 2 (2020-03-31) — Use Cases A02 / A03 (Update Charge Point Certificate), Sections 5.17 / 5.18 (Messages)
Overview
The Charge Point uses SignCertificate.req to request that the Certificate Authority sign its public key into a Charge Point certificate. The Charge Point sends the public key in the form of a Certificate Signing Request (CSR) as described in RFC 2986, PEM-encoded.
This message is sent in two situations:
- A02 — CSMS-driven: After the CSMS sends
ExtendedTriggerMessage.req(SignChargePointCertificate), the CP generates a new key pair and replies withSignCertificate.req(csr). - A03 — CP-driven: When the CP detects its certificate is about to expire (typically within one month), it spontaneously generates a new key pair and sends
SignCertificate.req(csr)on its own initiative.
The Central System forwards the CSR to the Certificate Authority. The Central System SHALL respond with SignCertificate.conf(status = Accepted) when it can process the request, or Rejected otherwise. After signing, the certificate is delivered back to the CP via CertificateSigned.req.
Behavioural rules:
- The private key generated by the CP SHALL NOT leave the Charge Point at any time, and SHALL NOT be readable via OCPP or any other communication connection.
- The CP SHALL put the value of the
CpoNameconfiguration key in theorganizationName(O) RDN of the CSR subject field. - The CSMS SHOULD NOT sign the certificate itself, but instead forwards the CSR to a dedicated CA server.
Sequence Diagram
Figures 5 / 6 (excerpt). Update Charge Point Certificate — CSR portion
Charge Point ──── SignCertificate.req ────▶ Central System ────▶ CA Server
(csr)
Charge Point ◀─── SignCertificate.conf ──── Central System
(status)
Initiator
Charge Point → Central System
Fields
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| csr | string [0..5500] | 1..1 | Required. The Charge Point SHALL send the public key in form of a Certificate Signing Request (CSR) as described in RFC 2986 and then PEM-encoded. |
| Field Name | Field Type | Card. | Description |
|---|---|---|---|
| status | GenericStatusEnumType | 1..1 | Required. Specifies whether the Central System can process the request. |
GenericStatusEnumType values
Accepted— Request has been accepted and will be executed.Rejected— Request has not been accepted and will not be executed.
Examples
{
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC...\n-----END CERTIFICATE REQUEST-----"
}{
"status": "Accepted"
}Related Configuration Keys
CpoName— CPO name to put in theorganizationName(O) RDN of the CSR subject.
Schema
Source:
schemas/SignCertificate.json,schemas/SignCertificateResponse.json(OCPP 1.6 Security Whitepaper, JSON Schema draft-06)