In addition to the protocol change, the origin of the certificates has been regulated much more strictly. These must now be obtained from the state-controlled Smart Metering PKI. A certificate triple must be procured for each role in the market. A triple consists of a TLS certificate, a signature certificate and an encryption certificate. In order to guarantee the best possible protection of the private keys, the keys of the signature and encryption certificate must be stored on a Hardware Security Module (HSM). The operation of an HSM was still uncharted territory for many customers, so the knowledge required for this project was correspondingly high.
„After the first three weeks of the transition phase, our customers and we can definitely draw a positive conclusion. Of course, there have been a number of questions and occasionally minor problems when exchanging messages with other manufacturers. However, the short paths between development and support were very helpful in overcoming these and were very well received by our customers.”
Stefan Cink, Director Business and Professional Services
Do I need a Hardware Security Module (HSM)?
As an active market participant, the use of an HSM is mandatory. Regarding the use of an HSM for passive market participants, the version of the Certificate Policy (CP) of the Smart Metering PKI dated 25 January 2023 (version 1.1.2) states that ‘[…] passive EMTs must use cryptographic modules that are at least compliant with the Key Lifecycle Security Requirements – Security Level 1. […] The specific requirements for the cryptographic modules must be derived by each market participant in accordance with the security concept to be drawn up by them.’ We therefore recommend that all market participants use an HSM.
Which certificates do I need?
As mentioned above, all market participants must obtain the required certificates from a registered Sub CA of the Smart Metering PKI. A list of these Sub CAs can be found on the corresponding page of the BSI.
We strongly recommend that the certificate request process is carried out as soon as possible. The issuing guidelines stipulate that a certificate triple must first be requested from the test CA of the respective CA. After the prescribed integration tests have been successfully completed, the customer then receives the triple from the active CA. NoSpamProxy provides the applicant with the best possible support during each of the individual steps.
How do I set up AS4 in NoSpamProxy?
Once the customer has stored their own market partner master data in NoSpamProxy and the certificates have been imported, the rest of the communication is largely automatic. Only the initial communication with a new market partner requires a manual step to exchange the appropriate certificates. Even this step is almost completely automated, only the AS4 communication needs to be requested. The certificate search is carried out by NoSpamProxy in the background.
High degree of automation and predictable costs
Not only the sophisticated technology with a high degree of automation, but also the attractive pricing of the new module were and are good reasons for customers in the energy sector to opt for NoSpamProxy as an AS4 gateway. In contrast to many market competitors, our customers benefit from predictable costs and are not negatively surprised by subsequent payments at the end of the year.
Switch to AS4 now
With NoSpamProxy, you can reliably protect your company from cyber attacks and benefit from seamless integration with AS4. Request your free trial version now!