Page tree
Skip to end of metadata
Go to start of metadata

OBEs use this service to request the new identification certificates. After the initial batch is requested, subsequent batches are automatically provisioned.


HTTP Request Body

ASN.1 serialized SecuredIdCertProvisioningRequest

HTTP Response BodyASN.1 serialized SignedIdCertProvisioningAck with a requestHash property containing the lower 8 bytes of the request hash. This value will identify this device from this point on, and it is to be used in subsequent download calls. The reply property contains a PseudonymCertProvisioningAck with a certDLTime property containing the expected time for download of the requested certificate and a certDLURL property containing the URL where the certificate can be downloaded.


  1. Policy referenced in the request message is previously known
  2. EE is not revoked



Error Handling

See "RA-EE Errors" in Overview of Used Error Codes

Quality of Protection

  • RA protects access with HTTPS (TLS V1.2)
  • Supports at a minimum OpenSSL cipher suite ECDHE-ECDSA-AES128-SHA256
  • Uses certificate-based client authentication of data signed by the device enrollment certificate, validated at the application layer. This is a supplement to the one-way TLS authentication, to provide two-way authentication with a TLS/1609.2 hybrid scheme.