Public Key Infrastructure (PKI) is a system of cryptographic keys, digital certificates, and trusted authorities that verify identities and enable secure, encrypted communications. PKI enables devices, servers, and users to authenticate each other using public/private key pairs and X.509 digital certificates, typically issued and managed by a Certificate Authority (CA).
Why PKI Matters in EV Charging
Modern EV charging relies on secure machine-to-machine communication and trusted identities across multiple parties.
– Enables secure charger-to-backend connections for OCPP over TLS
– Supports ISO 15118 security for Plug & Charge (PnC) and secure session setup
– Protects against impersonation, man-in-the-middle attacks, and unauthorized control of chargers
– Helps meet cybersecurity and governance expectations in critical infrastructure environments
– Enables scalable trust across roaming, CPO platforms, installers, and OEM service operations
Core PKI Components
PKI is built from a chain of trust and lifecycle management processes.
– Public/private key pair: private key stays protected; public key is shared via certificate
– Digital certificate (X.509): binds a public key to an identity (device, server, organization)
– Certificate Authority (CA): a trusted entity that issues and signs certificates
– Registration Authority (RA): verifies identity before certificate issuance (sometimes separate)
– Certificate chain: root CA → intermediate CA → end-entity certificate
– Revocation mechanisms: CRL (certificate revocation list) and/or OCSP to invalidate compromised certificates
How PKI Works in Practice
PKI enables secure connections by verifying identities before data is trusted.
– A device presents its certificate during a TLS handshake or protocol-specific authentication
– The counterparty validates the certificate chain up to a trusted CA
– If valid and not revoked, both sides establish encrypted communication
– Policies define certificate validity periods, renewal, and revocation rules
PKI in EV Charging: Key Use Cases
PKI is present across multiple layers of the charging ecosystem.
– OCPP security: chargers authenticate backend servers (and sometimes mutual authentication) using TLS certificates
– ISO 15118 Plug & Charge: the EV and EVSE use certificates to authenticate and authorize charging without cards or apps
– Firmware signing: verifies that firmware updates come from a trusted source and were not tampered with
– Backend services: API authentication between CPO systems, payment services, and roaming platforms
Certificate Lifecycle Management
PKI is only secure if certificates are managed end-to-end.
– Secure key generation and storage (often using secure elements or HSMs)
– Certificate provisioning during manufacturing or commissioning (factory provisioning/field provisioning)
– Regular renewal before expiration to avoid outages
– Revocation and replacement after compromise or device decommissioning
– Audit trails and role-based access for PKI operations
Operational Risks and Failure Modes
– Expired certificates are causing chargers to lose backend connectivity
– Weak private key protection enabling device impersonation
– Poor revocation processes leave compromised certificates active
– Misconfigured trust stores or certificate chains breaking interoperability
– Complex multi-party trust (OEM, CPO, roaming hub) without clear governance
Related Glossary Terms
– ISO 15118
– Plug & Charge (PnC)
– OCPP security profiles
– TLS encryption
– Certificate Authority (CA)
– Firmware signing
– Cybersecurity compliance
– Intrusion detection system (IDS)