OCPP Security

Security configuration and certificate management for OCPP communication.

Security Profiles

For secure communication between the Central System and the Charge Points, the OCPP manager supports the security profiles defined in the OCPP Security specification.

Profile 1: Unsecured Transport with Basic Authentication

This profile does not include authentication for the Central System, or measures to set up a secure communication channel. Therefore, it should only be used in trusted networks, for instance in networks using a VPN between the Central System and the Charge Point.

The authentication of the Charge Point is done using HTTP Basic authentication. The username must be equal to the Charge Point identity (client id) and the password is a 20-byte key.

Example: Charge point identity "AL1000" with authorization key 0001020304050607FFFFFFFFFFFFFFFFFFFFFFFF results in HTTP authorization header: Authorization: Basic QUwxMDAwOgABAgMEBQYH////////////////

Profile 2: TLS with Basic Authentication

In the TLS with Basic Authentication profile, the communication channel is secured using Transport Layer Security (TLS). The Central System authenticates itself using a TLS server certificate. The Charge Points authenticate themselves using HTTP Basic Authentication.

For Charge Point authentication, HTTP Basic authentication is used. Because TLS is used in this profile, the password will be encrypted for sending, which reduces the risks of using this authentication method.

Profile 3: TLS with Client Side Certificates

In the TLS with Client Side Certificates profile, the communication channel is secured using Transport Layer Security (TLS). Both the Charge Point and Central System authenticate themselves using certificates.

The Central System authenticates the Charge Point via the TLS client certificate. The Charge Point authenticates the Central System via the TLS server certificate. The certificate is checked by the Central System using the configured root certificate.

Important:
The default certificate should be replaced with one issued by a proper certification authority. This responsibility lies with the customer.

Certificate Management

Certificates are required when using a security profile with TLS (security profile >= 2).

The standard WinCC OA certificate panel can be used to create certificates for OCPP in the same way as when creating certificates for the standard WinCC OA web server, while optionally different certificate names can be used.

The certificates should be placed in the config directory of the project/subproject. The config entries privateKey and publicKey specify the path to the certificate files relative to the config path.

By default, the OCPP WebSocket server uses the certificates of the web server.

Root Certificate Authority

For security profile 3, the Root Certificate Authority must be specified using the config entry rootCA.

This ensures that only clients with client certificates created by the Root Certificate Authority can connect to the Central Station.

Security Recommendations

  • Use Security Profile 2 or 3 for production environments
  • Replace default certificates with certificates from a proper certification authority
  • Regularly update certificates before expiration
  • Monitor security events and logs
  • Use strong passwords for Basic Authentication (20-byte keys)