Some chargers—most commonly from ABL, Autel or Alfen—fail to establish the initial connection to our backend. In many cases, the charger is missing required root or intermediate certificates (e.g., Amazon Root CA or Let’s Encrypt). Installing the correct certificates on the charger resolves the trust failure and allows a secure TLS connection.
Why certificates are needed
TLS handshake overview
Chargers communicate with the backend over HTTPS/WebSocket (TLS). During the TLS handshake, the backend presents a server certificate issued by a Certificate Authority (CA). The charger validates the chain from the server cert → intermediate(s) → trusted root in its local store.
If any part of this chain is unknown or expired on the device, the verification fails and the connection is refused. Time drift on the charger can also make a valid certificate appear “not yet valid” or “expired”.
Trust store anatomy
A typical trust store contains multiple root CAs and sometimes pinned intermediates. Vendors ship these stores with firmware; some allow manual import. Keeping the store current is essential because CAs rotate intermediates and deprecate roots.
Common symptoms
In logs
- “untrusted certificate”, “unknown CA”, “certificate verify failed”
- “x509: certificate signed by unknown authority”
- Timestamps suggesting clock skew (e.g., “not yet valid”)
On device / behavior
- OCPP WebSocket fails to open or drops after TLS handshake
- Connection works only after manual CA import
- Intermittent success correlated with device reboots or time sync
Solution
1) Check charger logs
Confirm the failure is certificate-related (look for “unknown CA”, “untrusted”, or generic TLS errors). If possible, enable verbose TLS logging temporarily.
2) Download required CA certificates
Download the current root and intermediate certificates relevant to your backend endpoint. Keep the certificate chain complete and in the correct order.
3) Install the certificates on the charger
- ABL: Import via the charger’s web UI or via SSH (refer to vendor manual). Place certificates into the trusted CA store.
- Alfen: Import via the management software or OCPP configuration workflow. Ensure the trust store is updated and saved.
- Other vendors: Follow the vendor documentation for updating the trusted CA bundle.
If mutual TLS is enabled, import the client certificate and private key in the designated keystore (separate from CA store).
4) Reboot / reload trust store
Restart the charger so the new trust store is loaded. Re-test the connection and verify that the OCPP WebSocket stays established.
Recommendations
Keep firmware current
Vendors refresh CA bundles via firmware updates. Upgrading often resolves cases where legacy roots were removed or new intermediates introduced.
Commissioning checklist
- Verify the device trust store includes the CA chain your backend serves.
- Confirm device time sync (NTP) and timezone settings.
- Document who/when/how to update CA bundles in the field.
Quick checklist (TL;DR)
- “untrusted certificate” in logs → missing/outdated CA on the charger
- Download Amazon Root CA and/or Let’s Encrypt certificates
- Import into trusted CA store → reboot → retest
FAQ
Why does it work after a firmware update?
The update likely refreshed the built-in CA bundle, adding the missing root/intermediate certificates.
Do I need client certificates?
In most deployments, only server-side verification is required (the charger verifies the backend). If your setup uses mutual TLS, install the client cert and private key per vendor documentation.
Which Let’s Encrypt certificates are needed?
Typically ISRG Root X1 plus the current intermediate that signs your backend’s server certificate. Always match the chain your backend presents.
Troubleshooting tips
Verify the live chain
Use an external TLS checker against your backend hostname to view the live certificate chain and expiration windows.
Inspect device trust store
If supported, export the current trust store list to confirm CA presence and versions. Remove stale or untrusted entries as advised by the vendor.
Check device time
Wrong system time breaks validation. Ensure NTP is enabled and reachable.
Proxy considerations
If a proxy is used, confirm it doesn’t intercept TLS or present an unexpected certificate (transparent TLS inspection will fail verification).
Security note
Only import certificates from trusted sources. Do not install private keys on the charger unless explicitly required for mutual TLS. Keep access to the charger’s management interface secured and audited.
Comments
0 comments
Please sign in to leave a comment.