Provision ISO 15118 Plug & Charge certificates

Verified steps

1. Understand the ISO 15118 V2G PKI hierarchy: the V2G Root CA signs Sub-CA1 (operated by a trust anchor like Hubject or an OEM), Sub-CA2 signs the SECC leaf certificate (installed on the charge point), and the OEM Provisioning CA issues OEM Provisioning Certificates to vehicles during manufacturing.
2. As a CPO, obtain a SECC (Supply Equipment Communication Controller) leaf certificate from your chosen V2G Sub-CA2 provider via the EST interface: generate a CSR with the charge point's EVSE ID encoded in the SubjectAltName, then POST to the EST /simpleenroll endpoint to receive the signed certificate.
3. As a Mobility Operator (eMSP), obtain the vehicle's OEM Provisioning Certificate from the Provisioning Certificate Pool (PCP) — Hubject's OPCP or an equivalent — and use it to sign a Contract Certificate (also called an eMSP Certificate) that authorizes the EV for charging on your network.
4. Push the Contract Certificate and its certificate chain to the CSMS; the CSMS delivers it to the charge point via the OCPP 2.0.1 InstallCertificate / CertificateInstalled message flow so the charge point can provide it to the EV during the ISO 15118 TLS handshake.
5. Implement the ISO 15118-2 (or -20 for DC and AC with V2G) communication session on the charge point side: the EV presents its Contract Certificate during the TLS client authentication, the SECC verifies the certificate chain against the V2G Root CA, and the session proceeds without a separate RFID authorization step.
6. Monitor certificate expiry: SECC and Contract Certificates have defined validity periods; implement automated renewal workflows that generate new CSRs and submit to the Sub-CA before expiry to avoid service interruption.