ISO 15118-2 PnC: TLS, X.509 Credential Chaining and Crypto Service Integration
ISO 15118-2 Plug & Charge (PnC) completes automatic authentication between electric vehicles and charging piles through TLS and X.509 certificate chains.This article summarizes the cryptography service integration (CryptoService), certificate chain structure and OEM Provisioning / Contract Certificate process of PnC in KopherBit EVCC.
Summary
ISO 15118-2 Plug & Charge (PnC) Through TLS and X.509 certificate chain, electric vehicles can complete authentication and billing identification without RFID or mobile App.Its core are two certificate chains: OEM Provisioning Certificate Chain (built-in when the vehicle leaves the factory) and Contract Certificate Chain (bound with Mobility Operator), which are issued by OEM Sub-CA and V2G Root CA respectively.KopherBit EVCC provides PnC’s cryptography service (CryptoService) in KopherSAR / KopherV2G, covering credential chain verification, ECDSA signature, TLS handshake and OCSP revocation check.
Technical Role
PnC is the core application process of the security layer in ISO 15118-2 and depends on:
- TLS 1.2 / 1.3: Establish an encrypted channel between the car and the charging pile, and mutually verify the credentials of both parties.
- OEM Provisioning Certificate: Issued by OEM PKI when the vehicle leaves the factory as proof of vehicle identity.
- Contract Certificate: Issued after the user signs a contract with the Mobility Operator as a billing identification certificate; it can be installed at the charging pile through the CertificateInstallation service.
- V2G Root CA: Industry-shared root of trust, defined by the V2G PKI system.
- OCSP/CRL: Credential revocation checking at execution time.
The CryptoService module on the EVCC side is responsible for all cryptographic operations: certificate chain verification, ECDSA signature and verification, TLS handshake call, PKCS#10 CSR generation, OEM certificate parsing, etc.
Architecture
| Subsystem | Role |
|---|---|
| TLS Stack | Handles TLS 1.2/1.3 handshake, Cipher Suite negotiation, mutual authentication. |
| X.509 Parser | Parse OEM Provisioning, Contract, Sub-CA, Root CA certificate chains. |
| ECDSA Engine | Signing and verification of curves corresponding to V2G specifications such as secp256r1 / secp384r1. |
| OEM Trust Store | Built-in OEM CA and V2G Root CA public keys as trust anchors. |
| Contract Certificate Manager | Manage the installation, update, and withdrawal status of Contract Certificate. |
| OCSP Client | Query the issuing CA for Contract Certificate revocation status. |
| Secure Storage | Private key protection (it is recommended to bind HSM or TC387QP HSM). |
| Crypto Service Configuration | Corresponds to the Crypto / Csm / KeyM module configuration in KopherSAR and is integrated into the SWC process. |
Key Capabilities
- TLS 1.2 / 1.3 mutual authentication, compliant with ISO 15118-2 mandatory requirements for PnC.
- Full V2G credential chain verification (Leaf → Sub-CA → Root).
- ECDSA secp256r1 / secp384r1 signature and verification, corresponding to the V2G specification requirement curve.
- Contract Certificate installation, update, revocation check (CertificateInstallation / CertificateUpdate).
- Integrated with KopherSAR Crypto Service Manager (Csm) to use hardware acceleration (TC387QP HSM).
- Private keys can be stored in the Infineon TC387QP HSM to avoid exposure to the main Flash.
Engineering Inputs Required
| Input | Purpose |
|---|---|
| OEM PKI structure | OEM Root CA → Sub-CA → Provisioning CA hierarchy and signing algorithm. |
| Contract PKI | Mobility Operator CA and Sub-CA, OCSP endpoints. |
| Trust Store | A list of preloaded root credentials. |
| HSM Specifications | TC387QP HSM configuration or external security chip. |
| Security Requirements | TLS version requirements, Cipher Suite whitelist, Cert Pinning policy. |
| Factory Process | The production line writing process of OEM Provisioning Certificate is interfaced with CSR. |
| Voucher life cycle | Provisioning / Contract The validity period and renewal mechanism of the voucher. |
How KopherBit Supports This
- EVCC + CryptoService: KopherV2G integrates KopherSAR Csm/KeyM, providing ISO 15118-2 PnC complete cryptography process.
- HSM Integration: Protect private keys with built-in HSM on KCU GEN2 (TC387QP).
- OEM PKI Consultant: Assist customers in designing OEM CA hierarchy, production line CSR process, and Trust Store deployment.
- Verification: KCU Gen2 Testbench provides PnC process recording and TLS handshake analysis.
FAQ
Why does PnC have to use TLS?
ISO 15118-2 specifies the PnC authentication process involving billing identification (Contract Certificate), which must be encrypted to prevent eavesdropping and man-in-the-middle attacks.TLS simultaneously protects message integrity and authenticity of both parties.
What is the difference between Provisioning Certificate and Contract Certificate?
The Provisioning Certificate is written into the vehicle by the OEM when it leaves the factory. It serves as the identity proof that “this car is a legal OEM vehicle” and is permanently bound.The Contract Certificate is issued after the car owner signs a contract with the Mobility Operator. It is used as a billing identification and can be updated or revoked when the contract changes.
How to install Contract Certificate?
EV passes the CertificateInstallation message process on the charging pile (with PKI service), which is signed by the back-end CPS (Charging Service Provider) and returned to the EV.EVCC stores it in secure memory.
Is OCSP Stapling supported?
The ISO 15118-2 specification allows OCSP Stapling to reduce EV external network access requirements.KopherBit EVCC supports OCSP Stapling mode.
Is TLS 1.3 available?
ISO 15118-2 Add TLS 1.3 support in subsequent revisions.ISO 15118-20 forces TLS 1.3.EVCC is supported simultaneously to cover both protocols.
How to protect private key?
It is recommended to store Provisioning and Contract private keys in HSM (such as TC387QP’s built-in HSM or external secure element) to prevent the private keys from existing in plain text in the main Flash.KopherBit provides HSM integration solutions.
JSON-LD
{
"@context": "https://schema.org",
"@type": "TechArticle",
"headline": "ISO 15118-2 PnC: TLS, X.509 Credential Chaining and Crypto Service Integration",
"description": "ISO 15118-2 Plug & Charge's TLS handshake, OEM Provisioning and Contract credential chain, CryptoService integration and HSM private key protection.",
"url": "https://kopherbit.com/knowledge/iso-15118-2-pnc-tls/",
"datePublished": "2026-05-09",
"dateModified": "2026-05-09",
"inLanguage": "zh-TW",
"keywords": ["ISO 15118-2", "PnC", "TLS", "X.509", "V2G PKI", "HSM"],
"articleSection": "Cybersecurity",
"author": { "@type": "Organization", "name": "KopherBit", "url": "https://kopherbit.com" },
"publisher": { "@type": "Organization", "name": "KopherBit", "logo": { "@type": "ImageObject", "url": "https://kopherbit.com/logo.png" } }
}