The PKI utilises a four-level Certificate Authority (CA) trust hierarchy as defined by the IEEE 2030.5 standard, with separate test and production environments.
- Smart Energy Root CA (SERCA): This is the highest level, maintained offline with strict security procedures. Currently held in the US, with plans to establish one in Australia.
- Manufacturer CA (MCA - Direct Connect): An online CA used specifically for Direct Connect OEMs, improving the onboarding speed of OEM MICAs. It is issued by the SERCA.
Manufacturer Issuing CAs (MICAs):
◦ OEM MICA (Direct Connect): Managed offline by OEMs currently, allowing for simplified OEM support across multiple DNSPs. Plans are in place to move these to online MICAs for enhanced security. Issued by the Direct Connect MCA.
◦ DNSP MICA: Online and accessible via the DigiCert PKI hosting platform, allowing for segregation between DNSPs. Issued by the SERCA.- Device Certificates:
◦ Utility Server Certificates: Issued by DNSP MICAs for DNSP Utility Servers.
◦ Aggregator Certificates: Issued by DNSP MICAs for OEM Aggregator infrastructure.
◦ Device Certificates (Direct Connect): Issued by OEM MICAs directly to CER devices.
Each certificate type adheres to specific profiles defined by the IEEE 2030.5 standard, including details on issuer, subject name, extensions (likekeyUsageandbasicConstraints), and certificate policies.