EVCB_OCPP.OCPPServer.16J/cert.patch

diff --git a/EVCB_OCPP.WSServer/DLL/EVCB_OCPP.Packet.dll b/EVCB_OCPP.WSServer/DLL/EVCB_OCPP.Packet.dll
index 42f3575..e8dce54 100644
Binary files a/EVCB_OCPP.WSServer/DLL/EVCB_OCPP.Packet.dll and b/EVCB_OCPP.WSServer/DLL/EVCB_OCPP.Packet.dll differ
diff --git a/EVCB_OCPP.WSServer/Message/CoreProfileHandler.cs b/EVCB_OCPP.WSServer/Message/CoreProfileHandler.cs
index 1698606..0cb0fea 100644
--- a/EVCB_OCPP.WSServer/Message/CoreProfileHandler.cs
+++ b/EVCB_OCPP.WSServer/Message/CoreProfileHandler.cs
@@ -72,6 +72,7 @@ public partial class ProfileHandler
     //private readonly IDbContextFactory<MeterValueDBContext> metervaluedbContextFactory;
     private readonly IBusinessServiceFactory businessServiceFactory;
     private readonly IMainDbService mainDbService;
+    private readonly CertificateService certService;
     private OuterHttpClient httpClient;
 
     public ProfileHandler(
@@ -82,6 +83,7 @@ public partial class ProfileHandler
         MeterValueDbService meterValueDbService,
         IBusinessServiceFactory businessServiceFactory,
         IMainDbService mainDbService,
+        CertificateService certService,
         ILogger<ProfileHandler> logger,
         OuterHttpClient httpClient)
     {
@@ -93,6 +95,7 @@ public partial class ProfileHandler
         this.webDbConnectionFactory = webDbConnectionFactory;
         this.meterValueDbService = meterValueDbService;
         this.mainDbService = mainDbService;
+        this.certService = certService;
         //this.metervaluedbContextFactory = metervaluedbContextFactory;
         this.businessServiceFactory = businessServiceFactory;
         this.httpClient = httpClient;
diff --git a/EVCB_OCPP.WSServer/Message/SecurityProfileHandler.cs b/EVCB_OCPP.WSServer/Message/SecurityProfileHandler.cs
index 96b07ba..cd277eb 100644
--- a/EVCB_OCPP.WSServer/Message/SecurityProfileHandler.cs
+++ b/EVCB_OCPP.WSServer/Message/SecurityProfileHandler.cs
@@ -3,12 +3,20 @@ using EVCB_OCPP.Packet.Messages;
 using System;
 using Microsoft.Extensions.Logging;
 using EVCB_OCPP.WSServer.Service.WsService;
+using EVCB_OCPP.Packet.Messages.RemoteTrigger;
+using Microsoft.EntityFrameworkCore;
+using EVCB_OCPP.Packet.Messages.Security;
+using Microsoft.IdentityModel.Tokens;
+using System.Runtime.ConstrainedExecution;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography;
+using System.Text.RegularExpressions;
 
 namespace EVCB_OCPP.WSServer.Message
 {
     public partial class ProfileHandler
     {
-        internal MessageResult ExecuteSecurityRequest(Actions action, WsClientData session, IRequest request)
+        internal async Task<MessageResult> ExecuteSecurityRequest(Actions action, WsClientData session, IRequest request)
         {
             MessageResult result = new MessageResult() { Success = false };
 
@@ -16,8 +24,68 @@ namespace EVCB_OCPP.WSServer.Message
             {
                 switch (action)
                 {
+                    case Actions.SignCertificate:
+                        {
+                            SignCertificateRequest _request = request as SignCertificateRequest;
+                            SignCertificateConfirmation confirm = new();
+
+                            if (string.IsNullOrEmpty(_request.csr))
+                            {
+                                result.Success = false;
+                                return result;
+                            }
 
+                            bool isCsrValid = CheckCsr(session.ChargeBoxId, _request.csr);
+                            if (!isCsrValid)
+                            {
+                                confirm.status = Packet.Messages.SubTypes.GenericStatusEnumType.Rejected;
+                                result.Message = confirm;
+                                result.Success = false;
+                                return result;
+                            }
+                            _ = certService.SignCertificate(session.ChargeBoxId, _request.csr);
 
+                            confirm.status = Packet.Messages.SubTypes.GenericStatusEnumType.Accepted;
+                            result.Message = confirm;
+                            result.Success = true;
+                            return result;
+                        }
+                    case Actions.SecurityEventNotification:
+                        {
+                            SecurityEventNotificationRequest _request = request as SecurityEventNotificationRequest;
+                            SecurityEventNotificationConfirmation confirm = new();
+
+                            logger.LogInformation("{chargeBoxId} security notification {sects} {sectype} {secmsg}", session.ChargeBoxId, _request.timestamp, _request.type, _request.techInfo);
+
+                            result.Message = confirm;
+                            result.Success = true;
+                            return result;
+                        }
+                    case Actions.LogStatusNotification:
+                        {
+                            LogStatusNotificationRequest _request = request as LogStatusNotificationRequest;
+                            LogStatusNotificationConfirmation confirm = new();
+
+                            if (_request.status != Packet.Messages.SubTypes.UploadLogStatusEnumType.Idle)
+                            {
+                                using (var db = await maindbContextFactory.CreateDbContextAsync())
+                                {
+                                    var item = await db.MachineOperateRecords.Where(x => x.ChargeBoxId == session.ChargeBoxId && x.Action == "GetLog" && x.RequestType == 1)
+                                        .OrderByDescending(x => x.CreatedOn).FirstOrDefaultAsync();
+                                    if (item != null)
+                                    {
+                                        item.EvseStatus = (int)_request.status;
+                                        item.FinishedOn = DateTime.UtcNow;
+                                    }
+
+                                    await db.SaveChangesAsync();
+                                }
+
+                            }
+                            result.Message = confirm;
+                            result.Success = true;
+                            return result;
+                        }
                     default:
                         {
                             logger.LogWarning(string.Format("Not Implement {0} Logic(ExecuteCoreRequest)", request.GetType().ToString().Replace("OCPPPackage.Messages.Core.", "")));
@@ -37,13 +105,141 @@ namespace EVCB_OCPP.WSServer.Message
 
             return result;
         }
-        internal MessageResult ExecuteSecurityConfirm(Actions action, WsClientData session, IConfirmation confirm, string requestId)
+
+        private bool CheckCsr(string chargeBoxId, string csrString)
+        {
+            string subject = certService.GetCertificateRequestSubject(csrString);
+            logger.LogInformation("{chargeBoxId} send scr {subject}", chargeBoxId, subject);
+            if (subject == null)
+            {
+                return false;
+            }
+
+            Dictionary<string,string> csrInfo = certService.SubjectToDictionary(subject);
+            if (csrInfo == null ||
+                !csrInfo.ContainsKey("CN") ||
+                csrInfo["CN"] != chargeBoxId)
+            {
+                return false;
+            }
+            return true;
+        }
+
+        internal async Task<MessageResult> ExecuteSecurityConfirm(Actions action, WsClientData session, IConfirmation confirm, string requestId)
         {
             MessageResult result = new MessageResult() { Success = false };
 
             switch (action)
             {
-
+                case Actions.ExtendedTriggerMessage:
+                    {
+                        ExtendedTriggerMessageConfirmation _confirm = confirm as ExtendedTriggerMessageConfirmation;
+                        //ExtendedTriggerMessageRequest _request = _confirm.GetRequest() as ExtendedTriggerMessageRequest;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
+                case Actions.CertificateSigned:
+                    {
+                        CertificateSignedConfirmation _confirm = confirm as CertificateSignedConfirmation;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
+                case Actions.GetInstalledCertificateIds:
+                    {
+                        GetInstalledCertificateIdsConfirmation _confirm = confirm as GetInstalledCertificateIdsConfirmation;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
+                case Actions.DeleteCertificate:
+                    {
+                        DeleteCertificateConfirmation _confirm = confirm as DeleteCertificateConfirmation;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
+                case Actions.InstallCertificate:
+                    {
+                        InstallCertificateConfirmation _confirm = confirm as InstallCertificateConfirmation;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
+                case Actions.GetLog:
+                    {
+                        GetLogConfirmation _confirm = confirm as GetLogConfirmation;
+                        using (var db = await maindbContextFactory.CreateDbContextAsync())
+                        {
+                            var operation = await db.MachineOperateRecords.Where(x => x.SerialNo == requestId &&
+                            x.ChargeBoxId == session.ChargeBoxId && x.Status == 0).FirstOrDefaultAsync();
+                            if (operation != null)
+                            {
+                                operation.FinishedOn = DateTime.UtcNow;
+                                operation.Status = 1;//電樁有回覆
+                                operation.EvseStatus = (int)_confirm.status;//OK
+                                operation.EvseValue = _confirm.status.ToString();
+                                await db.SaveChangesAsync();
+                            }
+                        }
+                    }
+                    break;
                 default:
                     {
                         logger.LogWarning(string.Format("Not Implement {0} Logic", confirm.GetType().ToString().Replace("OCPPPackage.Messages.RemoteTrigger.", "")));
diff --git a/EVCB_OCPP.WSServer/Program.cs b/EVCB_OCPP.WSServer/Program.cs
index a2b2b57..493bd08 100644
--- a/EVCB_OCPP.WSServer/Program.cs
+++ b/EVCB_OCPP.WSServer/Program.cs
@@ -8,6 +8,8 @@ using Microsoft.AspNetCore.Hosting;
 using EVCB_OCPP.WSServer.Service.WsService;
 using EVCB_OCPP.Service;
 using Microsoft.Extensions.Logging;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 
 namespace EVCB_OCPP.WSServer
 {
@@ -51,11 +53,19 @@ namespace EVCB_OCPP.WSServer
                     //services.AddTransient<BlockingTreePrintService>();
                     //services.AddTransient<GoogleGetTimePrintService>();
                 });
+            builder.WebHost.ConfigureKestrel(opt => {
+                opt.ConfigureHttpsDefaults(opt =>
+                {
+                    opt.ClientCertificateMode = Microsoft.AspNetCore.Server.Kestrel.Https.ClientCertificateMode.AllowCertificate;
+                    opt.ClientCertificateValidation = ValidateClientCertficatel;
+                });
+            });
             var app = builder.Build();
             app.UseHeaderRecordService();
             app.UseOcppWsService();
             app.MapApiServce();
             app.Urls.Add("http://*:80");
+            app.Urls.Add("https://*:443");
             app.Run();
         }
 
@@ -69,5 +79,10 @@ namespace EVCB_OCPP.WSServer
             }
             return timevalue;
         }
+
+        private static bool ValidateClientCertficatel(X509Certificate2 clientCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+        {
+            return true;
+        }
     }
 }
diff --git a/EVCB_OCPP.WSServer/ProtalServer.cs b/EVCB_OCPP.WSServer/ProtalServer.cs
index 4a5cebc..a16a7f8 100644
--- a/EVCB_OCPP.WSServer/ProtalServer.cs
+++ b/EVCB_OCPP.WSServer/ProtalServer.cs
@@ -21,6 +21,8 @@ using System.Net;
 using System.Text;
 using EVCB_OCPP.WSServer.Service.WsService;
 using System.ServiceModel.Channels;
+using EVCB_OCPP.Packet.Messages.RemoteTrigger;
+using EVCB_OCPP.Packet.Messages.Security;
 
 namespace EVCB_OCPP.WSServer
 {
@@ -697,6 +699,18 @@ namespace EVCB_OCPP.WSServer
                                 {
                                     session.IsCheckIn = true;
 
+                                    if (session.IsSignedByCPO == false)
+                                    {
+                                        var _request = new ExtendedTriggerMessageRequest()
+                                        {
+                                            requestedMessage = Packet.Messages.SubTypes.MessageTriggerEnumType.SignChargePointCertificate
+                                        };
+
+                                        var uuid = session.queue.store(_request);
+                                        string rawRequest = BasicMessageHandler.GenerateRequest(uuid, _request.Action, _request);
+                                        SendMsg(session, rawRequest, string.Format("{0} {1}", _request.Action, "Request"), "");
+                                    }
+
                                     await messageService.SendGetEVSEConfigureRequest(session.ChargeBoxId);
 
                                     await messageService.SendChangeConfigurationRequest(
@@ -831,7 +845,7 @@ namespace EVCB_OCPP.WSServer
                     break;
                 case "Security":
                     {
-                        var replyResult = profileHandler.ExecuteSecurityRequest(action, session, (IRequest)analysisResult.Message);
+                        var replyResult = await profileHandler.ExecuteSecurityRequest(action, session, (IRequest)analysisResult.Message);
                         if (replyResult.Success)
                         {
                             string response = BasicMessageHandler.GenerateConfirmation(analysisResult.UUID, (IConfirmation)replyResult.Message);
@@ -905,7 +919,7 @@ namespace EVCB_OCPP.WSServer
                         break;
                     case "Security":
                         {
-                            confirmResult = profileHandler.ExecuteSecurityConfirm(action, session, (IConfirmation)analysisResult.Message, analysisResult.RequestId);
+                            confirmResult = await profileHandler.ExecuteSecurityConfirm(action, session, (IConfirmation)analysisResult.Message, analysisResult.RequestId);
                         }
                         break;
                     default:
diff --git a/EVCB_OCPP.WSServer/Service/CertificateService.cs b/EVCB_OCPP.WSServer/Service/CertificateService.cs
new file mode 100644
index 0000000..2f19f25
--- /dev/null
+++ b/EVCB_OCPP.WSServer/Service/CertificateService.cs
@@ -0,0 +1,142 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http.Json;
+using System.Runtime;
+using System.Runtime.ConstrainedExecution;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Threading.Tasks;
+
+namespace EVCB_OCPP.WSServer.Service
+{
+    public class CertificateService
+    {
+
+        public CertificateService(
+            ServerMessageService messageService,
+            IConfiguration configuration, 
+            ILogger<CertificateService> logger)
+        {
+            _serverUrl = configuration["CertificateServerUrl"];
+            _cpon = configuration["ChargingPointOperator"];
+            this.messageService = messageService;
+            this.logger = logger;
+        }
+        private readonly string _serverUrl;
+        private readonly string _cpon;
+        private readonly ServerMessageService messageService;
+        private readonly ILogger<CertificateService> logger;
+
+        public async Task SignCertificate(string chargeBoxId, string csr)
+        {
+            HttpClient client = new HttpClient();
+            client.BaseAddress = new Uri(_serverUrl);
+            var signResult = await client.PostAsJsonAsync("cert/csr", new { csr = csr });
+            if (!signResult.IsSuccessStatusCode)
+            {
+                logger.LogWarning("{chargeBoxId} csr failed {csr}", chargeBoxId, csr);
+                return;
+            }
+            var crt = await signResult.Content.ReadAsStringAsync();
+            await messageService.SendCertificateSignedRequest(chargeBoxId, crt);
+            client.Dispose();
+        }
+
+        public Task<int> CheckClientCertificate(string chargeboxId, X509Certificate2 cert)
+        {
+            return CheckClientCertificate(chargeboxId, cert.ExportCertificatePem());
+        }
+
+        public async Task<int> CheckClientCertificate(string chargeboxId, string certString)
+        {
+            var subject = GetCertificateSubject(certString);
+            logger.LogInformation("{chargeboxId} with cert subject {subject}", chargeboxId, subject);
+            if (string.IsNullOrEmpty(subject))
+            {
+                return -1;
+            }
+
+            var crtInfo = SubjectToDictionary(subject);
+            if (crtInfo == null ||
+                //!crtInfo.ContainsKey("O") ||
+                //crtInfo["O"] != _cpon ||
+                !crtInfo.ContainsKey("CN") ||
+                crtInfo["CN"] != chargeboxId)
+            {
+                return -1;
+            }
+
+            int certServerResult = await CheckClientCertificateRca(certString);
+            logger.LogInformation("{chargeboxId} with cert authenticate {subject}", chargeboxId, certServerResult);
+            return certServerResult;
+        }
+
+        public async Task<int> CheckClientCertificateRca(string certString)
+        {
+            using HttpClient client = new HttpClient();
+            client.BaseAddress = new Uri(_serverUrl);
+            var result = await client.PutAsJsonAsync("cert/crt", new { crt = certString });
+            if (!result.IsSuccessStatusCode)
+            {
+                return -1;
+            }
+            var resultContentString = await result.Content.ReadAsStringAsync();
+            return Convert.ToInt32(resultContentString);
+        }
+
+        public Dictionary<string, string> SubjectToDictionary(string subject)
+        {
+            try
+            {
+                MatchCollection regexResult = Regex.Matches(subject, "([a-zA-Z]*)=([a-zA-Z0-9]*)");
+                if (regexResult.Count == 0)
+                {
+                    return null;
+                }
+                return regexResult.Where(x => x.Success == true && x.Groups.Count == 3).ToDictionary(x => x.Groups[1].Value, x => x.Groups[2].Value);
+            }
+            catch (Exception e)
+            {
+                logger.LogCritical(e.Message);
+                logger.LogCritical(e.StackTrace);
+                return null;
+            }
+        }
+
+        public string GetCertificateSubject(string crt)
+        {
+
+            try
+            {
+                byte[] bytes = Encoding.ASCII.GetBytes(crt);
+                var clientCertificate = new X509Certificate2(bytes);
+
+                return clientCertificate.Subject;
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        public string GetCertificateRequestSubject(string csrString)
+        {
+
+            try
+            {
+                var csr = CertificateRequest.LoadSigningRequestPem(csrString, HashAlgorithmName.SHA512);
+                var test = csr.SubjectName.Name;
+                return test;
+            }
+            catch
+            {
+                return null;
+            }
+        }
+    }
+}
diff --git a/EVCB_OCPP.WSServer/Service/ServerMessageService.cs b/EVCB_OCPP.WSServer/Service/ServerMessageService.cs
index 9a3b0e2..6379c21 100644
--- a/EVCB_OCPP.WSServer/Service/ServerMessageService.cs
+++ b/EVCB_OCPP.WSServer/Service/ServerMessageService.cs
@@ -1,6 +1,9 @@
 using EVCB_OCPP.Packet.Features;
 using EVCB_OCPP.Packet.Messages.Core;
 using Microsoft.Extensions.Logging;
+using static System.Runtime.InteropServices.JavaScript.JSType;
+using System.ServiceModel.Channels;
+using EVCB_OCPP.Packet.Messages.Security;
 
 namespace EVCB_OCPP.WSServer.Service;
 
@@ -52,4 +55,16 @@ public class ServerMessageService
             }
             );
     }
+
+    internal Task SendCertificateSignedRequest(string chargeBoxId, string crt)
+    {
+        return mainDbService.AddServerMessage(
+            ChargeBoxId: chargeBoxId,
+            OutAction: Actions.SignCertificate.ToString(),
+            OutRequest: new CertificateSignedRequest()
+            {
+                certificateChain = crt
+            }
+            );
+    }
 }
diff --git a/EVCB_OCPP.WSServer/Service/WsService/OcppWebsocketService.cs b/EVCB_OCPP.WSServer/Service/WsService/OcppWebsocketService.cs
index ba1df1c..8cd38ae 100644
--- a/EVCB_OCPP.WSServer/Service/WsService/OcppWebsocketService.cs
+++ b/EVCB_OCPP.WSServer/Service/WsService/OcppWebsocketService.cs
@@ -5,6 +5,7 @@ using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using System.Net.WebSockets;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 
 namespace EVCB_OCPP.WSServer.Service.WsService;
@@ -13,6 +14,7 @@ public static partial class AppExtention
 {
     public static void AddOcppWsServer(this IServiceCollection services)
     {
+        services.AddTransient<CertificateService>();
         services.AddTransient<WsClientData>();
         services.AddSingleton<OcppWebsocketService>();
     }
@@ -45,6 +47,7 @@ public class OcppWebsocketService : WebsocketService<WsClientData>
 
     private readonly IConfiguration configuration;
     private readonly IMainDbService mainDbService;
+    private readonly CertificateService certificateService;
     private readonly ILogger<OcppWebsocketService> logger;
 
     private readonly QueueSemaphore handshakeSemaphore;
@@ -53,11 +56,13 @@ public class OcppWebsocketService : WebsocketService<WsClientData>
         IConfiguration configuration,
         IServiceProvider serviceProvider,
         IMainDbService mainDbService,
+        CertificateService certificateService,
         ILogger<OcppWebsocketService> logger
         ) : base(serviceProvider)
     {
         this.configuration = configuration;
         this.mainDbService = mainDbService;
+        this.certificateService = certificateService;
         this.logger = logger;
 
         handshakeSemaphore = new QueueSemaphore(5);
@@ -182,11 +187,46 @@ public class OcppWebsocketService : WebsocketService<WsClientData>
             securityProfile = 0;
         }
 
-        if (securityProfile == 3 && session.UriScheme == "ws")
+        if (securityProfile == 3 )
         {
-            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
-            logger.LogTrace("{id} {func} {Statuscode}", context.TraceIdentifier, nameof(ValidateHandshake), context.Response.StatusCode);
-            return false;
+            if (session.UriScheme == "ws")
+            {
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                logger.LogTrace("{id} {func} {Statuscode}", context.TraceIdentifier, nameof(ValidateHandshake), context.Response.StatusCode);
+                return false;
+            }
+
+            X509Certificate2 clientCertificate = null;
+            if (context.Request.Headers.ContainsKey("X-ARR-ClientCert"))
+            {
+                byte[] bytes = Encoding.ASCII.GetBytes(context.Request.Headers["X-ARR-ClientCert"]);
+                clientCertificate = new X509Certificate2(bytes);
+            }
+            if (context.Connection.ClientCertificate is not null)
+            {
+                clientCertificate = context.Connection.ClientCertificate;
+            }
+            if (clientCertificate is  null)
+            {
+                clientCertificate = await context.Connection.GetClientCertificateAsync();
+            }
+            if (clientCertificate == null)
+            {
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized; 
+                logger.LogTrace("{id} {func} {Statuscode}", context.TraceIdentifier, nameof(ValidateHandshake), context.Response.StatusCode);
+                return false;
+            }
+
+            int checkResult =  await certificateService.CheckClientCertificate(session.ChargeBoxId, clientCertificate);
+            if (checkResult == -1)
+            {
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                logger.LogTrace("{id} {func} {Statuscode}", context.TraceIdentifier, nameof(ValidateHandshake), context.Response.StatusCode);
+                return false;
+            }
+
+            session.IsSignedByCPO = checkResult == 0;
+            return true;
         }
 
         if (securityProfile == 1 || securityProfile == 2)
diff --git a/EVCB_OCPP.WSServer/Service/WsService/WsClientData.cs b/EVCB_OCPP.WSServer/Service/WsService/WsClientData.cs
index 30b3365..486eaa3 100644
--- a/EVCB_OCPP.WSServer/Service/WsService/WsClientData.cs
+++ b/EVCB_OCPP.WSServer/Service/WsService/WsClientData.cs
@@ -74,6 +74,7 @@ public class WsClientData : WsSession
     public string CustomerName { get; set; }
 
     public string StationId { set; get; }
+    public bool? IsSignedByCPO { set; get; } = null;
 
     public event EventHandler<string> m_ReceiveData;
 
diff --git a/EVCB_OCPP.WSServer/appsettings.json b/EVCB_OCPP.WSServer/appsettings.json
index b52e084..8e7b622 100644
--- a/EVCB_OCPP.WSServer/appsettings.json
+++ b/EVCB_OCPP.WSServer/appsettings.json
@@ -4,6 +4,7 @@
   "LocalAuthAPI": "",
   "apipass": "12345678",
   "LogProvider": "NLog",
+  "CertificateServerUrl": "http://localhost:81/",
   "OCPP20_WSUrl": "ws://ocpp.phihong.com.tw:5004",
   "OCPP20_WSSUrl": "ws://ocpp.phihong.com.tw:5004",
   "MaintainMode": 0,