What Device Certificate Enrollment Is
Device certificate enrollment is the process of issuing and installing a unique digital certificate for a device (such as an EV charger) so it can authenticate securely to backend systems. After enrollment, the charger can prove its identity using public key infrastructure (PKI) and establish trusted connections, typically via mutual TLS (mTLS).
Why Device Certificate Enrollment Matters
Certificate enrollment is foundational for secure, scalable EV charging operations:
– Ensures each charger has a unique, non-shareable identity
– Prevents unauthorized devices from connecting to your CPMS
– Enables mTLS for encrypted, authenticated OCPP sessions
– Supports secure OTA firmware delivery and command execution
– Allows certificate rotation and revocation at scale when incidents happen
– Helps meet enterprise and tender requirements for cybersecurity
How Device Certificate Enrollment Works
Enrollment usually follows a lifecycle approach:
1) Key Generation
The device generates a private key (ideally inside secure hardware) and keeps it secret. The matching public key is used to request a certificate.
– Best practice: generate keys on-device and keep private keys non-exportable
2) Certificate Signing Request (CSR)
The device creates a CSR containing its public key and identity data (serial number, device ID, manufacturer fields). The CSR is sent to a certificate authority workflow for approval.
3) Certificate Issuance
A certificate authority (CA) signs the CSR and issues a device certificate. This certificate ties the public key to a validated device identity.
4) Certificate Installation
The device stores the issued certificate (and often the CA chain) and configures it for TLS connections to the backend.
5) Authentication and Validation
When the device connects, the backend validates:
– Certificate chain to the trusted CA
– Certificate validity period and policies
– Revocation status (if enforced)
– Mapping to a registered device record
Enrollment Models Common in EV Charging
Different rollouts use different enrollment models:
– Factory enrollment
Certificates are provisioned during manufacturing, so chargers ship ready for secure onboarding.
– Field enrollment (installer onboarding)
Installers commission the charger on-site; the charger enrolls and receives a certificate as part of first connection.
– Just-in-time (JIT) enrollment
The first time the charger connects, it requests a certificate automatically under controlled rules (useful for scale, but needs strong safeguards).
– Central gateway enrollment
A local controller handles certificate issuance and management for chargers behind a private network.
Certificate Lifecycle Management
Enrollment is only the start. Good systems also handle:
– Rotation / renewal before expiry
– Revocation if a device is compromised or stolen
– Device decommissioning when a charger is retired or resold
– Separate certificates per environment (test / staging / production)
Best Practices
– Use unique certificate per charger (never shared identities)
– Store keys in secure elements / TPM when possible
– Automate enrollment and renewal to avoid manual errors
– Maintain an allow-list that maps certificates to known charger IDs
– Enforce strong TLS versions and cipher policies
– Keep audit logs for enrollment, renewal, and revocation events
Common Pitfalls
– Manual certificate handling with spreadsheets and email
– Shipping devices with the same certificate or default credentials
– No renewal process → chargers go offline when certs expire
– No revocation capability → compromised devices remain trusted
– Identity fields in certificates not aligned with backend device records
Related Terms for Internal Linking
– Device authentication
– Mutual TLS (mTLS)
– Public key infrastructure (PKI)
– Secure element
– Secure update pipeline
– Encrypted communications
– Provisioning
– Charger cybersecurity