How does the WSS connection and certificate exchange works
- The WSS connection is done over TLS/SSL encrypted connection.
- Every time a charger tries to connect to the Secure Socket Server, the charger and the server communicate to ensure that there is a secure TLS/SSL encrypted connection.
- The secure socket server shares its TLS/SSL certificate and its public key with the charger to establish a secure connection and a unique session key.
- The charger confirms that it recognizes and trusts the issuer, or Certificate Authority, of the SSL certificate. The charger also checks to ensure the TLS/SSL certificate is unexpired, unrevoked, and that it can be trusted. (But this only happens when Security Profile 2 / 3 is enabled on the charger. Now, a charger can still connect over secure websockets even if that profile 2/3 is not set, it just won't verify the server certificate. And for profile 3 there is an additional step of the socket server verifying the client side certificate that a charger sends when it opens the connection.)
- The charger sends back a symmetric session key and the server decrypts the symmetric session key using its private key.
- The server then sends back an acknowledgement encrypted with the session key to start the encrypted session.
- Server and charger now encrypt all transmitted data with the session key. They begin a secure session that protects message privacy, message integrity, and server security
So, in short just like you don't install a certificate when you visit your secure banking website, the charger doesn't need the certificate beforehand and the server provides it during the initial handshake.