TC_078_CS — Invalid CentralSystemCertificate Security Event
TC_078_CS — Invalid CentralSystemCertificate Security Event
Source: OCPP 1.6 — Compliancy Testing Tool — Test Case Document (Trial 2025-06, Draft). System Under Test: Charge Point, page 101.
Identification
| Field | Value |
|---|---|
| Test case name | Invalid CentralSystemCertificate Security Event |
| Test case Id | TC_078_CS |
| System under test | Charge Point |
Description
The Charge Point notifies the Central System of an invalid certificate.
Purpose
To check if the Charge Point is able to register a security event and is able not notify the Central System about it.
Prerequisite(s)
The Charge Point supports Security profile 2 and/or 3.
Before (Preparations)
Configuration State(s):
- AllowCSMSTLSWildcards is false (If implemented)
Memory State(s):
- N/a
Reusable State(s):
- N/a
Scenario Detail(s)
| Charge Point (SUT) | Central System (Tool) |
|---|---|
| 1. The Central System aborts the connection with the Charge Point. | |
| 2. The Charge Point initiates a TLS handshake and sends a Client Hello to the Central System. | 3. The Central System responds with a Server Hello; With a <Configured valid server certificate>; Note(s):; - The Central System will use this as an indication of the time it takes the Charge Point to reconnect. |
| 4. The Central System aborts the connection with the Charge Point. | |
| 5. The Charge Point initiates a TLS handshake and sends a Client Hello to the Central System. | 6. The Central System responds with a Server Hello; With a <Generated invalid server certificate> |
| 7. The Charge Point deems the server certificate invalid and terminates the connection. | |
| Note: The Central System will wait two times the measured reconnection time from step 3, before switching the server certificate back to the valid server certificate.The reason for this is that the Central System is not always able to detect a failed connection attempt. | |
| 8. The Charge Point initiates a TLS handshake and sends a Client Hello to the Central System. | 9. The Central System responds with a Server Hello; With a <Configured valid server certificate>; Note(s):; - The Central System will accept the connection to prevent doubling of the RetryBackOffWaitMinimum. |
| 10 The Charge Point sends a SecurityEventNotification.req | 11 The Central System responds with a SecurityEventNotification.conf |
| Note(s): The Central System will loop through steps 4 to 11 for a set of generated invalid certificates; "Expired", "Future validity date", "Not signed by installed Central System Root certificate", "CommonName that does not equal the FQDN of the server", "CommonName containing a wildcard hostname matching the FQDN". |
Tool validation(s)
Charge Point side:
Step 10:
(Message: SecurityEventNotification.req) The type is InvalidCentralSystemCertificate
Central System side:
- N/a
Expected result(s) / behaviour
Charge Point side:
- N/a
Central System side:
- N/a