TC_086_CSMS — TLS - server-side certificate - Valid certificate

Source: OCPP 1.6 — Compliancy Testing Tool — Test Case Document (Trial 2025-06, Draft). System Under Test: Central System, page 194.

Identification

Field	Value
Test case name	TLS - server-side certificate - Valid certificate
Test case Id	TC_086_CSMS
System under test	Central System

The Central System uses a server-side certificate to identify itself to the Charge Point, when using security profile 2 or 3.

To verify whether the Central System is able to provide a valid server certificate and setup a secured WebSocket connection.

The Central System supports security profile 2 and/or 3.

Configuration State(s):

Memory State(s):

Reusable State(s):

Charge Point side:

Step 2:

The OCTT validates the following before finishing the TLS handshake:

The Central System must use TLS version 1.2 or above At least the following set of cipher suites must be supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 AND TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 AND TLS_RSA_WITH_AES_128_GCM_SHA256 AND TLS_RSA_WITH_AES_256_GCM_SHA384
When using RSA or DSA the key must be at least 2048 bits long. and when using elliptic curve cryptography the key must be at least 224 bits long.
The received server side certificate must be transmitted in the X.509 format encoded in Privacy-Enhanced Mail (PEM) format.
The certificate must include a serial number.
The subject field of the certificate must contain a commonName RDN which consists of the FQDN of the endpoint of the server. NOTE: If one of the above validations fails, the OCTT can still proceed with the next steps of the testcase (if it is able to), but the testcase will FAIL and the OCTT reports why it failed. Post scenario validations: N/a

Central System side:

Charge Point side:

Central System side: