Architecture: BetterFleet OCPP Profile 3 and ISO 15118 PKI
TLDR (Solution Summary)
- Build a
BetterFleet Certificate Control Plane that remains the lifecycle source of truth for charger identity certificates, vehicle VAS identity certificates, ISO 15118 provisioning artifacts, and trust-anchor bundles.
- Add a
Certificate Lifecycle API in bf-manage-core that owns inventory, policy, certificate jobs, activation evidence, revocation intent, and audit for every certificate purpose.
- Add an
OCPP Security Orchestrator in bf-manage-connect that executes SignCertificate, CertificateSigned, InstallCertificate, GetInstalledCertificateIds, DeleteCertificate, GetCertificateStatus, Get15118EVCertificate, SecurityEventNotification, GetLog, and LogStatusNotification without becoming the lifecycle source of truth.
- Use
AWS Private CA for BetterFleet-managed operational certificate issuance and revocation, and use AWS ACM for central-system server certificates where AWS-managed termination is available.
- Add an
External Scheme Broker for Hubject, OCPI, OEM, and other Plug and Charge actors so BetterFleet can operate in BetterFleet-managed, BetterFleet-brokered, and externally managed but BetterFleet-tracked modes per certificate purpose.
- Add a
Trust Anchor Release Manager that versions, distributes, confirms, and rolls back purpose-specific trust-anchor bundles before dependent leaf certificates are activated.
1. Summary
- Problem statement:
- BetterFleet needs a production architecture for OCPP Profile 3 and ISO 15118 certificate lifecycle management that fits the existing spec and avoids building multiple independent PKI systems.
- The current spec already fixes several architectural constraints: BetterFleet remains the lifecycle source of truth, local key generation is required for endpoint-owned keys, AWS is the retained platform assumption, and charger, vehicle, ISO 15118, backend, and firmware-signing trust must stay separate.
- Goal and success criteria:
- Deliver one concrete architecture that can issue, install, activate, renew, revoke, and audit BetterFleet-managed certificates while also tracking or brokering externally governed Plug and Charge certificate flows.
- Success means one operator-visible inventory, one job and policy model, one OCPP orchestration path, and a clear separation between internal operational PKI and external ISO 15118 scheme actors.
- What will be built in this phase:
Certificate Lifecycle API + add certificate-purpose-aware inventory, policy, and job orchestration in bf-manage-core + BetterFleet becomes the operational source of truth for all managed certificate purposes.Operator Certificate Administration View + extend the existing device certificate UI in bf-manage-web to show charger, vehicle, ISO 15118, and trust-anchor records + operations can inspect state, failures, and actions in one surface.OCPP Security Orchestrator + add standards-aligned certificate message handling in bf-manage-connect + chargers execute install, CSR, status, and security-log flows through a controlled control plane.AWS PKI Integration Layer + connect BetterFleet-managed certificate jobs to AWS Private CA and AWS ACM + BetterFleet uses managed AWS issuance without exposing CA private-key control to runtime services.External Scheme Broker + add adapters for Hubject, OCPI, OEM, and other external approval authorities + BetterFleet can track and broker Plug and Charge workflows without pretending to own every certificate purpose.Trust Anchor Release Manager + version and stage purpose-specific CA bundle rollout + root and intermediate updates become controlled rollout events with audit and rollback support.
- Scope (in/out) for this phase:
- In:
- Concrete logical and deployment architecture for the BetterFleet lifecycle service, OCPP orchestration, AWS PKI integration, external-scheme brokering, and operator visibility.
- Concrete ownership boundaries for charger identity, vehicle VAS identity, ISO 15118 provisioning artifacts, trust anchors, and server certificates.
- Concrete interaction flows for issuance, activation, renewal, revocation, trust-anchor rollout, and Plug and Charge brokering.
- Out:
- Detailed database schema design.
- Final OEM-specific subject naming rules.
- Firmware-signing PKI beyond trust-domain separation.
- Exact OCPI payload definitions for each partner.
- Current baseline:
- As of March 10, 2026, BetterFleet already has an IoT-oriented certificate inventory and operator action pattern in
bf-manage-web and bf-manage-core, but not the OCPP 2.0.1 certificate orchestration handlers required for Profile 3 rollout.
- As of March 10, 2026,
bf-manage-connect has local OCPP 2.0.1 schemas but no production certificate orchestration flow.
- Future evolution guardrails:
- This architecture must keep it easy to add new certificate purposes without creating a new service per purpose.
- This architecture must keep external-scheme integration separate from the BetterFleet-managed CA path.
- This architecture must not make firmware-signing trust share a hierarchy or operator workflow with operational identities.
2. Users and Use Cases
- Primary personas:
- Platform engineer
- OCPP integration engineer
- Security and PKI engineer
- Operations team managing rollout and incidents
- External provisioning integration team
- High-level user stories:
- As operations, I want one certificate inventory and one trust-anchor inventory so I can govern rollout and incident handling consistently.
- As a PKI engineer, I want BetterFleet runtime services to request issuance without holding CA private-key control.
- As an OCPP engineer, I want charger certificate flows to map to OCPP 2.0.1 security messages while BetterFleet remains authoritative for lifecycle state.
- As a Plug and Charge integration team, I want BetterFleet to broker or track external certificate workflows without forcing all external PKI actors into the BetterFleet-managed model.
- Edge cases and failure modes:
- Charger generates a CSR, receives a signed certificate, installs it, but never reconnects successfully over mutual TLS.
- Trust-anchor bundle rollout succeeds on some charger families and fails on others.
- An external Plug and Charge authority issues or revokes a credential and BetterFleet must reflect the new state without controlling issuance.
- A device remains on Profile 2 during migration and must keep unique dual-slot
AuthorizationKey handling.
3. Conceptual Model Terms and Decisions
Key Terms
| Term |
Definition |
Notes |
| BetterFleet Certificate Control Plane |
The BetterFleet-owned control plane for certificate inventory, policy, jobs, audit, and activation evidence |
Source of truth for lifecycle state |
| Certificate Lifecycle API |
The synchronous and asynchronous application boundary for certificate actions in bf-manage-core |
Receives operator, policy, device, and integration requests |
| OCPP Security Orchestrator |
The OCPP-specific execution layer in bf-manage-connect |
Transport and evidence only |
| External Scheme Broker |
The integration layer for Hubject, OCPI, OEM, or other external Plug and Charge actors |
Used for brokered or tracked-only modes |
| Trust Anchor Release Manager |
The service module that versions and distributes purpose-specific root and intermediate bundles |
Separate from leaf issuance |
| Certificate Job |
The durable work item representing issue, install, activate, renew, revoke, delete, or bundle rollout |
Long-running and auditable |
| Activation Evidence |
Purpose-specific proof required before a certificate record becomes active |
Examples: successful mTLS reconnect, delivery acknowledgement, external confirmation |
| Purpose-Specific PKI Realm |
The isolated policy and trust domain for one certificate purpose |
Charger, vehicle VAS, ISO 15118 provisioning, backend server, firmware signing |
Decision Ledger
| ID |
Decision |
Rationale |
Alternatives Rejected |
Implications |
| D-001 |
Place the source-of-truth lifecycle service in bf-manage-core |
The spec already centers BetterFleet inventory and operator actions there |
Make the charger or external PKI the authoritative state owner |
Keeps inventory, audit, and policy in one bounded context |
| D-002 |
Place OCPP Profile 3 message handling in bf-manage-connect |
OCPP security messages belong in the connectivity boundary |
Push protocol logic into bf-manage-core |
Cleaner separation between business lifecycle and wire-protocol orchestration |
| D-003 |
Use AWS Private CA for BetterFleet-managed operational client certificates |
Matches the AWS retained assumptions and avoids operating a full CA stack |
Build a bespoke CA or self-host an enterprise PKI stack first |
Runtime services request issuance through IAM-controlled APIs only |
| D-004 |
Use AWS ACM only for server certificates that terminate on supported AWS services |
ACM is retained in the current design for central-system server certificates |
Use ACM for charger and vehicle certificates |
Charger and vehicle identity remains CSR-driven through Private CA |
| D-005 |
Keep external Plug and Charge issuance outside the BetterFleet-managed CA path |
The spec explicitly allows brokered and tracked-only ownership modes |
Force all ISO 15118 certificate purposes into one BetterFleet-owned CA hierarchy |
External actors remain first-class, not temporary exceptions |
| D-006 |
Manage trust anchors as versioned bundle rollouts separate from leaf issuance |
The spec requires purpose-specific trust-anchor lifecycle and staged rollout |
Treat root and intermediate updates as file attachments on certificate records |
Makes anchor replacement operationally safe and auditable |
| D-007 |
Make certificate jobs asynchronous and idempotent |
OCPP, external schemes, and CA issuance all contain long-running and retryable steps |
Pure request-response orchestration |
Supports retries, reconciliation, and operator-visible state |
| D-008 |
Keep charger identity, vehicle VAS identity, ISO 15118 provisioning, backend server, and firmware-signing trust in separate PKI realms |
The spec requires separate trust domains |
One combined CA hierarchy with policy tags only |
Policy, revocation, and incident handling remain purpose-correct |
4. Architecture Overview
Logical Component Model
flowchart LR
UI["bf-manage-web\nOperator Certificate Administration View"]
Core["bf-manage-core\nCertificate Lifecycle API\nPolicy Engine\nInventory\nJob Orchestrator\nAudit"]
Connect["bf-manage-connect\nOCPP Security Orchestrator\nProtocol Compatibility Adapter\nSecurity Event Ingestor"]
AwsPca["AWS Private CA\nPurpose-specific issuing CAs"]
Acm["AWS ACM\nServer certificate management"]
Broker["External Scheme Broker\nHubject / OCPI / OEM adapters"]
Anchors["Trust Anchor Release Manager"]
Charger["Charge Point / EVSE\nLocal key generation\nCSR / install / reconnect"]
Vehicle["Vehicle / VAS program\nDirect or brokered delivery"]
Scheme["External PnC PKI / eMSP / OEM"]
Obs["Audit + Observability\nLogs / metrics / alerts"]
UI --> Core
Core --> Connect
Core --> AwsPca
Core --> Acm
Core --> Broker
Core --> Anchors
Connect --> Charger
Broker --> Scheme
Broker --> Vehicle
Anchors --> Connect
Core --> Obs
Connect --> Obs
Broker --> Obs
bf-manage-web
- Presents the operator views for certificate inventory, trust-anchor bundle inventory, migration cases, provisioning cases, and job history.
- Reuses the current certificate action pattern and extends it to multiple certificate purposes.
bf-manage-core
- Owns certificate records, trust-anchor records, policy evaluation, lifecycle commands, job state, and audit history.
- Exposes admin and automation APIs for issue, renew, revoke, activate, deactivate, delete, install-trust-anchor, and record-provisioning-outcome actions.
- Publishes job intents to asynchronous workers and reconciles evidence from OCPP and external integrations.
bf-manage-connect
- Owns OCPP 2.0.1 security message handling and the compatibility adapter for Profile 2 and OCPP 1.6J transitional fleets.
- Converts lifecycle commands from
bf-manage-core into OCPP actions and converts charger responses, logs, and events into activation evidence.
AWS Private CA
- Hosts the BetterFleet-managed issuing CAs for charger identity and vehicle VAS identity.
- Is invoked only by a restricted CA integration module in
bf-manage-core.
AWS ACM
- Manages public or private server certificates for BetterFleet endpoints that terminate on ACM-capable AWS services.
External Scheme Broker
- Handles Hubject, OCPI, OEM, or other program-specific Plug and Charge interactions where BetterFleet is not the issuer.
- Stores external references, provisioning status, fingerprints, expiry, and evidence back into the BetterFleet inventory.
Trust Anchor Release Manager
- Packages purpose-specific root and intermediate chains into versioned bundles.
- Tracks intended, delivered, installed, active, failed, and withdrawn bundle versions by target cohort.
Deployment View
flowchart TD
subgraph AWS_VPC["BetterFleet AWS Account / VPC"]
Web["bf-manage-web"]
CoreApi["bf-manage-core API"]
Workers["Certificate Job Workers"]
ConnectSvc["bf-manage-connect OCPP service"]
Queue["Job Queue"]
Store["Operational data store"]
Artifact["Certificate / bundle artifact store"]
Metrics["Observability stack"]
end
subgraph AWS_SEC["Restricted PKI Control Plane"]
PCA["AWS Private CA hierarchy"]
ACM["AWS ACM"]
IAM["Restricted IAM roles"]
end
subgraph EXT["External actors"]
Chargers["Chargers / EVSEs"]
Hubject["Hubject / PnC PKI"]
OEM["OEM / OCPI / eMSP systems"]
end
Web --> CoreApi
CoreApi --> Queue
Queue --> Workers
Workers --> Store
Workers --> Artifact
Workers --> PCA
Workers --> ACM
CoreApi --> Store
CoreApi --> Metrics
ConnectSvc --> Chargers
Workers --> ConnectSvc
Workers --> Hubject
Workers --> OEM
ConnectSvc --> Metrics
Workers --> Metrics
IAM --> PCA
IAM --> ACM
- Runtime services do not hold CA private keys.
- The CA hierarchy sits behind restricted IAM roles and a dedicated PKI control-plane boundary.
- Long-running certificate work is executed by asynchronous job workers, not by request threads.
5. PKI Realms and Ownership Model
Purpose-Specific PKI Realms
| PKI realm |
Primary subject |
Issuance authority |
Delivery path |
BetterFleet role |
| Charger identity |
Charger or EVSE endpoint |
BetterFleet-managed AWS Private CA |
OCPP SignCertificate / CertificateSigned / InstallCertificate |
Managed |
| Vehicle VAS identity |
Vehicle or backend-facing vehicle integration |
BetterFleet-managed AWS Private CA by default, with support for approved external issuers |
Direct API or brokered delivery |
Managed or brokered |
| ISO 15118 provisioning artifacts |
EV, EVSE, or contract-certificate process |
External scheme, OEM, or eMSP authority by default |
Hubject, OCPI, OEM API, or tracked evidence |
Brokered or tracked-only |
| Backend server trust |
BetterFleet public or private service endpoints |
AWS ACM or controlled internal CA path |
AWS service attachment |
Managed |
| Firmware signing |
Firmware artifacts |
Separate future signing PKI |
Release pipeline |
Out of current scope |
CA Hierarchy
| Layer |
Design |
| Offline root CA |
One root per operational trust family where policy requires it; not exposed to runtime services |
| Online issuing CA |
Separate issuing CA per BetterFleet-managed realm at minimum: charger identity and vehicle VAS identity |
| Trust-anchor bundle |
Versioned bundle per purpose and cohort, rolled out ahead of leaf activation |
- Concrete recommendation:
- Start with one operational root and at least two issuing CAs under it only if policy accepts shared root isolation.
- If customer, compliance, or incident concerns are strong, split charger and vehicle VAS to separate roots early.
- Keep ISO 15118 external scheme roots outside the BetterFleet-managed issuing hierarchy even when BetterFleet tracks them in inventory.
6. Domain Model and Eventstorming (Concrete)
- Bounded contexts:
Certificate Lifecycle in bf-manage-coreEVSE Security Orchestration in bf-manage-connectExternal Provisioning Brokerage in the integration layerOperator Administration in bf-manage-web
- Aggregates and entities:
ManagedIdentityCertificateRecordTrustAnchorBundleCertificateJobMigrationCaseProvisioningCase
- Domain events:
CertificateRequestedCSRValidatedCertificateIssuedCertificateInstallRequestedCertificateInstalledCertificateActivatedCertificateDeactivatedCertificateRenewalStartedCertificateRevokedTrustAnchorReleaseRequestedTrustAnchorInstalledProvisioningOutcomeRecordedMigrationQuarantined
Interaction Flow
flowchart LR
Trigger["Operator / policy / device trigger"] --> Cmd["Lifecycle command"]
Cmd --> Job["Create CertificateJob"]
Job --> Route{"Execution path"}
Route -->|BetterFleet-managed| CA["AWS Private CA issuance"]
Route -->|OCPP execution| OCPP["bf-manage-connect OCPP actions"]
Route -->|Brokered| Ext["Hubject / OEM / OCPI broker flow"]
CA --> Evidence["Evidence returned"]
OCPP --> Evidence
Ext --> Evidence
Evidence --> Policy["Activation / reconciliation policy"]
Policy --> State["Update CertificateRecord / ProvisioningCase / MigrationCase"]
Event Timeline
timeline
title Charger Identity Certificate Timeline
CertificateRequested : Renewal or issuance starts
CSRValidated : CSR accepted against identity policy
CertificateIssued : AWS Private CA returns signed chain
CertificateInstalled : Charger confirms install
CertificateActivated : Successful mutual-TLS reconnect recorded
Event Dictionary
CertificateRequested: BetterFleet decides a certificate action is needed | starts lifecycle work | jobId, managedIdentityId, purpose, reason | triggers execution routing.CSRValidated: Submitted CSR matches policy and identity | protects issuance correctness | jobId, csrFingerprint, subjectKeyId | enables CA signing.CertificateIssued: Signed chain is available | creates installable artifact | jobId, certificateId, issuingCaId, notBefore, notAfter | triggers install path.CertificateInstalled: Endpoint or external actor confirms delivery | creates activation candidate | jobId, certificateId, evidenceType, evidenceRef | enables activation policy.CertificateActivated: Required evidence proves the credential is live | moves record to active | certificateId, activatedAt, evidenceRef | retires previous active cert.CertificateDeactivated: An active certificate is intentionally removed from service without revocation | moves record to inactive | certificateId, deactivatedAt, reason, actor | clears the active slot for that identity and purpose.ProvisioningOutcomeRecorded: External Plug and Charge flow advanced state | keeps brokered paths visible | provisioningCaseId, externalRef, newState | updates case and operator view.MigrationQuarantined: Rollout stopped for manual review | prevents unsafe automation | migrationCaseId, reason, chargerFamily, attemptCount | raises operational attention.
7. Interaction and Flow
Charger Identity Certificate Flow
sequenceDiagram
participant Policy as Policy Engine
participant Core as bf-manage-core
participant PCA as AWS Private CA
participant Connect as bf-manage-connect
participant Charger as Charger
Policy->>Core: Issue or renew charger certificate
Core->>Connect: Request CSR via OCPP security flow
Connect->>Charger: SignCertificate / CSR exchange
Charger-->>Connect: CSR
Connect-->>Core: CSR + device evidence
Core->>PCA: Issue certificate from charger issuing CA
PCA-->>Core: Signed certificate chain
Core->>Connect: Install certificate + chain
Connect->>Charger: CertificateSigned / InstallCertificate
Charger-->>Connect: Install accepted
Connect-->>Core: Installation evidence
Charger->>Connect: Reconnect using mutual TLS
Connect-->>Core: Successful activation evidence
Core->>Core: Mark certificate active and retire previous leaf
- Activation rule:
- A charger certificate does not become
active on install acknowledgement alone.
- It becomes
active only after successful Profile 3 reconnect or another approved live-use signal.
Trust Anchor Bundle Rollout
sequenceDiagram
participant Ops as Operator / Policy
participant Core as bf-manage-core
participant Connect as bf-manage-connect
participant Charger as Charger
Ops->>Core: Release trust-anchor bundle to cohort
Core->>Core: Create bundle version and rollout job
Core->>Connect: Install trust bundle on target chargers
Connect->>Charger: InstallCertificate for root/intermediate chain
Charger-->>Connect: Bundle install status
Connect-->>Core: Installation evidence by charger
Core->>Core: Mark bundle intended / installed / active / failed
Core->>Core: Unblock dependent leaf rollout only after threshold met
Plug and Charge Brokered Flow
sequenceDiagram
participant Core as bf-manage-core
participant Broker as External Scheme Broker
participant Scheme as Hubject / OEM / eMSP
participant UI as bf-manage-web
Core->>Broker: Start provisioning case
Broker->>Scheme: Submit request or validation call
Scheme-->>Broker: External status / approval / certificate reference
Broker-->>Core: Evidence, fingerprint, expiry, external reference
Core->>Core: Update ProvisioningCase and certificate-tracking record
UI-->>Core: View case, status, errors, next actions
Revocation and Incident Flow
- BetterFleet-managed certificate revocation:
bf-manage-core marks the certificate revoked in local policy first.- The CA integration submits revocation to
AWS Private CA.
bf-manage-connect or related relying-party components are instructed to deny further use even before remote confirmation propagates.
- Brokered or tracked-only revocation:
- BetterFleet records external revocation evidence and transitions the local record to a blocked or invalid state.
- Incident routing points operators to the responsible external authority.
8. Requirements and Constraints
- Functional requirements:
FR-001: bf-manage-core shall remain the lifecycle source of truth for certificate state, policy outcome, and audit for every certificate purpose in scope.FR-002: bf-manage-connect shall execute OCPP Profile 3 certificate operations as transport and evidence collection, not as the lifecycle source of truth.FR-003: BetterFleet-managed charger and vehicle VAS certificates shall be issued through AWS Private CA using CSR-driven issuance.FR-004: BetterFleet shall version and manage trust anchors as separate TrustAnchorBundle records by purpose and target cohort.FR-005: BetterFleet shall support the three operating modes managed, brokered, and tracked-only per certificate purpose.FR-006: Activation of charger identity certificates shall require installation evidence plus successful live-use verification.FR-007: External Plug and Charge integrations shall store external references, fingerprints, expiry, status, and audit evidence even when BetterFleet is not the issuer.FR-008: Runtime services shall request CA actions through restricted integration roles and shall not hold unrestricted root or issuing-CA private-key control.FR-009: The operator UI shall show certificate state, job state, trust-anchor rollout state, migration state, and provisioning state in one administration experience.FR-010: Migration support shall coexist with unique per-device AuthorizationKey lifecycle for cohorts that remain on Profile 2 during transition.
- Non-functional requirements:
NFR-001: All certificate and trust-anchor jobs shall be idempotent across retries and reconnects.NFR-002: The system shall preserve auditability of every lifecycle transition, external evidence update, and operator action.NFR-003: The system shall isolate failures by charger family, site cohort, certificate purpose, and external integration path to avoid fleet-wide rollout impact.NFR-004: Certificate policy values such as validity, renewal thresholds, and escalation windows shall be configurable by certificate purpose and cohort.NFR-005: Security observability shall capture issuance failures, install failures, activation failures, trust-anchor mismatch, revocation backlog, and security-event notifications.
- Constraints and assumptions:
- Charger and vehicle identity remain endpoint-owned keys and therefore CSR-driven.
- The current design reference for charger certificates is
180-day validity with T-30, T-14, and T-7 thresholds.
- External Plug and Charge actors may remain the issuer or approval authority for some ISO 15118 certificate purposes.
- Firmware support for local key generation, trust-anchor install, and mutual-TLS reconnect is a hard rollout dependency.
- Build item coverage mapping:
Certificate Lifecycle API -> FR-001, FR-005, FR-008, NFR-002, NFR-004Operator Certificate Administration View -> FR-009, NFR-002, NFR-005OCPP Security Orchestrator -> FR-002, FR-006, FR-010, NFR-001, NFR-003AWS PKI Integration Layer -> FR-003, FR-008, NFR-001External Scheme Broker -> FR-005, FR-007, NFR-002Trust Anchor Release Manager -> FR-004, NFR-003, NFR-005
9. Non-Technical Implementation Approach
10. Open Questions
- Should charger identity and vehicle VAS identity split to separate roots immediately, or start with separate issuing CAs under one operational root?
- Which ISO 15118 certificate purposes will BetterFleet actually issue directly in the first customer program, if any?
- Which external broker interface is first: Hubject direct, OCPI-based brokering, or OEM-specific API?
- What activation evidence beyond successful mutual-TLS reconnect is acceptable for charger families with non-standard behavior?
- What certificate inventory detail is contractually allowed to be stored for externally managed Plug and Charge credentials?
11. Appendices
Recommended Initial Service Placement
| Concern |
BetterFleet service |
| Operator certificate views |
bf-manage-web |
| Lifecycle API, policy, inventory, jobs, audit |
bf-manage-core |
| OCPP Profile 3 security message execution |
bf-manage-connect |
| External scheme adapters |
bf-manage-core integration boundary or adjacent worker service |
Concrete Initial AWS Shape
| Concern |
Initial choice |
| Charger issuing CA |
AWS Private CA general-purpose mode |
| Vehicle VAS issuing CA |
Separate AWS Private CA general-purpose issuing CA |
| Server certificates |
AWS ACM where service topology allows |
| Artifact storage |
Existing BetterFleet controlled object storage for chains, logs, and bundle artifacts |
| Observability |
Existing BetterFleet logging, metrics, and alerting stack with certificate-specific dashboards |
Concrete Initial Build Order
- Extend
bf-manage-core inventory, policy, and async job orchestration.
- Extend
bf-manage-web admin views and actions.
- Implement
bf-manage-connect charger certificate and trust-anchor flows.
- Stand up
AWS Private CA issuing hierarchy and IAM boundaries.
- Add Hubject or other broker integration for Plug and Charge tracking and brokering.
Cross-Reference to Specification Document
- Companion document: spec.md
- Relationship: The specification defines the conceptual lifecycle model, domain events, invariants, standards crosswalk, and business requirements. This architecture document concretizes those into service assignments, AWS infrastructure choices, PKI realm design, deployment topology, and phased build order.
Decision Traceability
| Architecture decision |
Derived from spec decision(s) |
How this architecture decision extends the spec |
D-001 Source of truth in bf-manage-core |
Spec D-001, D-003 |
Assigns the spec's source-of-truth principle to a concrete service boundary |
D-002 OCPP handling in bf-manage-connect |
Spec D-001, D-006 |
Implements the spec's bounded-context separation and OCPP 2.0.1 design target as a service split |
| D-003 AWS Private CA for managed client certificates |
Spec D-004 |
Selects a concrete issuance backend for the spec's CSR-driven local-key-generation requirement |
| D-004 AWS ACM only for server certificates |
Spec D-004, D-005 |
Enforces the spec's trust-domain separation at the infrastructure level |
| D-005 External Plug and Charge outside BetterFleet CA path |
Spec D-001 |
Concretizes the spec's bounded-context separation for vehicle and ISO 15118 domains |
| D-006 Trust anchors as versioned bundle rollouts |
Spec D-005 |
Implements the spec's trust-anchor lifecycle requirement with versioning, staging, and rollback |
| D-007 Asynchronous and idempotent certificate jobs |
Spec NFR-002 |
Adds idempotency and durable job semantics to the spec's async-workflow requirement |
| D-008 Separate PKI realms per purpose |
Spec D-005 |
Maps the spec's separate-trust-domains decision into concrete AWS Private CA hierarchy design |
Requirements Traceability
| Architecture requirement |
Traces to spec requirement(s) |
Notes |
FR-001 bf-manage-core as lifecycle source of truth |
Spec FR-001, FR-002, FR-004 |
Consolidates spec inventory, state model, and single-active invariant into one architecture FR |
FR-002 bf-manage-connect as transport only |
Spec FR-006, FR-006a |
Ensures OCPP execution does not become the lifecycle source of truth |
| FR-003 CSR-driven issuance through AWS Private CA |
Spec FR-005, D-004 |
Concretizes identity validation and issuance path |
FR-004 Trust anchors as separate TrustAnchorBundle records |
Spec FR-001 (trust-anchor inventory) |
Spec treats trust anchors as part of certificate inventory; architecture separates the record type |
| FR-005 Three operating modes per certificate purpose |
Spec FR-003, FR-007, FR-008 |
Implements managed, brokered, and tracked-only modes from the spec's ownership framework |
| FR-006 Charger activation requires live-use evidence |
Spec FR-002a |
Makes the spec's purpose-specific activation verification concrete for charger mTLS reconnect |
| FR-007 External PnC tracking with evidence storage |
Spec FR-007 |
Directly implements the spec's orchestration-not-source-of-truth rule for ISO 15118 |
| FR-008 Restricted CA access through IAM |
Spec NFR-003 |
Constrains the spec's designated-service-only issuance rule via AWS IAM boundaries |
| FR-009 Unified operator certificate administration |
Spec FR-001a |
Implements the spec's operator admin view requirement in bf-manage-web |
FR-010 Migration coexistence with AuthorizationKey lifecycle |
Spec FR-009, FR-009a |
Extends the spec's migration staging with concrete Profile 2 credential handling |
| NFR-001 Idempotent jobs |
Spec NFR-002 |
Adds idempotency to the spec's async-workflow requirement |
| NFR-002 Auditability of every transition |
Spec NFR-001 |
Direct alignment |
| NFR-003 Failure isolation by family, cohort, purpose |
Spec NFR-005 |
Architecture broadens the spec's failure-visibility requirement to include isolation controls |
| NFR-004 Policy configurable by purpose and cohort |
Spec NFR-004 |
Direct alignment |
| NFR-005 Security observability |
Spec FR-010, NFR-005 |
Combines the spec's security-event and failure-visibility requirements into one observability NFR |
Build Item Traceability
| Architecture build item |
Traces to spec build item(s) |
Service |
| Certificate Lifecycle API |
Certificate Inventory + Certificate Lifecycle Service |
bf-manage-core |
| Operator Certificate Administration View |
Operator Certificate Administration View |
bf-manage-web |
| OCPP Security Orchestrator |
OCPP Certificate Orchestrator + Profile 3 Migration State Machine |
bf-manage-connect |
| AWS PKI Integration Layer |
(new; implements spec D-004, NFR-003) |
bf-manage-core restricted integration boundary |
| External Scheme Broker |
Vehicle VAS Identity Management + ISO 15118 Provisioning Tracking |
bf-manage-core integration boundary or adjacent worker |
| Trust Anchor Release Manager |
(new; implements spec D-005, FR-001 trust-anchor aspects) |
bf-manage-core or dedicated module |
Bounded Context Mapping
| Spec bounded context |
Architecture bounded context |
Service |
| Certificate Lifecycle |
Certificate Lifecycle |
bf-manage-core |
| EVSE Security Orchestration |
EVSE Security Orchestration |
bf-manage-connect |
| Vehicle Provisioning Orchestration |
External Provisioning Brokerage |
bf-manage-core integration boundary |
| (implicit in spec) |
Operator Administration |
bf-manage-web |
Spec Material Not Yet Concretized in Architecture
- The spec's Standards Crosswalk (Section 5) maps OCPP 1.6, OCPP 2.0.1, ISO 15118, and VDV 261 to BetterFleet requirements. The architecture does not repeat this crosswalk but inherits its conclusions.
- The spec's ISO 15118 and VDV Ownership Decision Framework appendix defines a certificate-purpose decision matrix that must be completed per program. The architecture references three operating modes (managed, brokered, tracked-only) but does not reproduce the full matrix.
- The spec's Profile 2 AuthorizationKey Hardening appendix details dual-slot rotation workflow, credential-baseline expectations, and rotation triggers. The architecture references
AuthorizationKey lifecycle in FR-010 but defers the detailed rotation design.
- The spec's Renewal and Validity Policy appendix preserves 180-day / T-30 / T-14 / T-7 charger certificate policy values as configurable defaults. The architecture's constraints section references these values but does not expand on policy-field configurability.
- The spec's Delivery Workstreams and Readiness Dependencies appendix maps firmware, backend, platform, PKI, and operations workstreams with concrete milestone definitions. The architecture's phased build order is consistent but less granular.
Event Dictionary Reconciliation
CertificateDeactivated: Now present in both documents.CertificateInstallRequested, CertificateRenewalStarted, and TrustAnchorReleaseRequested: Now present in both documents. These events were originally architecture-level concretizations; the spec has adopted them as conceptual events.- Provisioning event naming remains open: The spec uses
Iso15118ProvisioningStateChanged (state-progression focus, ISO 15118-specific) while the architecture uses ProvisioningOutcomeRecorded (evidence-capture focus, domain-neutral). See the spec's cross-reference appendix for a detailed analysis and recommendation. This should be resolved before implementation.