Page tree
Skip to end of metadata
Go to start of metadata

RSEs use this service to request new application certificates. After the initial certificate is requested, subsequent certificates are NOT automatically provisioned.


HTTP Request Body

ASN.1 serialized SecuredAppCertProvisioningRequest

HTTP Response BodyASN.1 serialized SignedAppCertProvisioningAck with a requestHash property containing the lower 8 bytes of the request hash. This value will identify this device for the download of the requested certificate. The reply property contains a PseudonymCertProvisioningAck with a certDLTime property containing the expected time for download of the requested certificate and a certDLURL property containing the URL where the certificate can be downloaded.


  1. Policy referenced in the request message is previously known
  2. EE is not revoked



Error Handling

See "RA-EE Errors" in Overview of Used Error Codes

Quality of Service

For PoC the volume for this interface is 50,000 RSEs. This is not expected to have significant impact on system throughput requirements.

Quality of Protection

  • RA protects access with HTTPS (TLS V1.2)
  • Supports at a minimum OpenSSL cipher suite ECDHE-ECDSA-AES128-SHA256
  • Uses certificate-based client authentication of data signed by the device enrollment certificate, validated at the application layer. This is a supplement to the one-way TLS authentication, to provide two-way authentication with a TLS/1609.2 hybrid scheme.
  • Incoming message is encrypted (within the ASN.1 message structure) with the RA Component certificate public key. 

1 Comment

  1. Anonymous

    The preconditions reference a policy, but in reviewing the ASN.1, we don't see a policy referenced.  Can this be clarified or updated?