Skip to main content

OCPP 1.6-J Security Profiles

A guide to configuring security levels from Basic Auth to mTLS, including transport requirements and connection validation steps.

Updated over 2 weeks ago

OCPP 1.6-J defines four Security Profiles (SP0–SP3) determining how the Charge Point connects to the Central System.

Only one profile can be active per connection. Mismatched profiles are rejected.

Supported Profiles

Profile

Description

Auth Method

Transport

SP0

No security

None

ws://

SP1

Basic Auth (no TLS)

AuthorizationKey

ws://

SP2

TLS + Basic Auth

AuthorizationKey + TLS

wss://

SP3

TLS + Client Certificate (mTLS)

Certificate (binaryCert)

wss://

Configuration

Key

Description

Example

SecurityProfile

Selects 0–3

2

AuthorizationKey

Required for SP1/2 (≥16 bytes)

MyStrongKey123456

CentralSystemURI

OCPP endpoint

wss://ocs.timetick.io/...

binaryCert

PEM-encoded certificate chain for SP3

see below

Example certificate format

-----BEGIN CERTIFICATE----- <leaf cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate/chain> -----END CERTIFICATE-----

SP3 can be tested with a real device connected to the backend.

Testing Scope

SP

Method

Expected Result

SP1 / SP2

AuthorizationKey auth

Successful BootNotification / Heartbeat

Wrong key

401 / rejected

SP3

mTLS with real device

Successful TLS handshake & BootNotification

0 Security Profile, no AuthorizationKey

1 Security Profile, AuthorizationKey selected

2 Security Profile, AuthorizationKey selected

3 Security Profile, Certificate added to binaryCert in Simulator Config

Did this answer your question?