OCPP Certification Process: A Step-by-Step Guide to Passing OCA on the First Attempt

What OCA Certification Actually Proves (and What It Doesn't)

A lot of manufacturers treat OCA certification as a broad stamp of approval. That's not what it is.

The OCPP certification process is a precise, version-locked check that a specific firmware build, running on a defined hardware setup, correctly carries out the communication structures set out by the Open Charge Alliance.

What OCPP certification confirms:

• Your device correctly sends and receives standardized JSON payloads over persistent websocket connections
• Mandatory functions, including BootNotification, transaction authorization, remote configuration, and basic CSMS control, work exactly as the protocol sets out
• The firmware declared in your PICS document passes every related test case in the OCTT

What OCPP certification does not confirm:

• Universal network access. Knowing OCPP certification doesn't let you connect to any public charger. Access is controlled by the Charge Point Operator, not the protocol.
• Hardware safety. Electrical safety, thermal resilience, and physical standards such as IK10 impact resistance are tested separately by bodies like UL, not the OCA.
• Operational uptime. Programs like NEVI and CALeVIP separately mandate 97% uptime over five years. The badge proves your software can report status, not that your hardware will stay online.
  

OCA certification is one foundational part of a much larger compliance picture, not the whole picture.

The Four Certification Labs: DEKRA, DNV, KSGA, and the New Entrants

The OCA doesn't carry out testing itself. Testing gets handed off to a small group of accredited, independent laboratories, and your choice of lab directly affects your go-to-market timeline.

The three legacy institutions that have led this space in the OCPP certification process:

• DEKRA operates out of Arnhem (Netherlands), Sterling (Virginia), and Concord (California). For a significant period, DEKRA was the only OCA-accredited lab in North America for full OCPP 1.6 conformance testing, making them the primary gateway for US market entry.
  
• DNV runs facilities in Arnhem, Rochester (New York), and Singapore, giving them strong reach into both North American and Asia-Pacific markets.
  
• KSGA (Korea Smart Grid Association) is based in Seoul, serving the South Korean automotive and smart grid sector.
  

The key advantage of this global testing lab network: The OCPP certification earned at any single accredited lab is recognized worldwide. You don't need to test in every region.

The 5 Artifacts You Need Before You Book the Lab

Labs will not start testing without a complete pre-submission package. Showing up without any one of these five artifacts leads to immediate rejection, loss of your deposit, and a delay that could wipe out an entire funding cycle.

1. PICS Document: What to Declare and What to Leave Out

The Protocol Implementation Conformance Statement is the most sensitive document in the entire process. The document lays out exactly which OCPP certification features and optional profiles your device supports, and the lab only tests what you put down.

Vendors are often tempted to put down every optional profile to boost the certificate's commercial appeal. Don't. Declaring an optional profile, such as Smart Charging, ISO 15118, or Advanced Security, makes it a required part of that certification run. One failure in any declared profile takes down the entire submission.

Experienced compliance engineers stick to a conservative declaration rule: only put down what your firmware carries out perfectly under the most demanding test conditions. The mandatory profile is non-negotiable. Everything else gets declared only when it has been thoroughly pre-tested and is needed for your target customer base.

2. Test Reports from OCTT (the OCA Compliance Testing Tool)

The OCTT is a software tool provided by the OCA that runs the exact same test cases the independent labs use. Before booking a lab, your team must run thorough internal OCTT cycles and turn out clean pass reports across every profile declared in your PICS.

Labs are not there to fix broken software. Sending in a device without clean OCTT reports is a costly mistake, as formal certification runs cost upwards of 5,000 to 16,500 euros per attempt regardless of outcome.

Your internal OCTT reports do two things: they give the lab baseline confidence in your device's stability, and they bring up behavioral issues in your asynchronous message handling before the fee clock starts.

Zero anomalies. That's the bar. Any flag the OCTT throws up internally will turn into a hard failure at the lab.

3. PKI Material for Security Profile 3

Advanced Security (Security Profile 3) calls for Transport Layer Security with strict client authentication.

To test this profile before your OCPP certification process, you must hand over complete Public Key Infrastructure material before the session kicks off, including root certificates, intermediate certificate authorities, and the client certificates needed to set up a mutually authenticated cryptographic handshake.

The lab uses these artifacts to check that your device correctly encrypts websocket payloads, parses certificate chains, deals with certificate expiration, and cuts off connections when presented with revoked or broken certificates.

Incomplete PKI material, or cipher suites that don't line up with the protocol's cryptographic standards, stops the lab from getting the test sequence off the ground at all.

4. Charger Configuration Snapshot

Certification depends on absolute consistency. The same inputs must reliably produce the same outputs every time.

Your charger configuration snapshot is a full readout of every readable and writable configuration key, including heartbeat intervals, authorization timeout thresholds, websocket retry algorithms, connector counts, and meter value sample intervals.

Any gap between your declared configuration and actual runtime behavior is immediate grounds for failure during the OCPP certification process.

If your snapshot puts down 60-second meter value intervals and your device transmits at 30 seconds, the test fails. Lock the configuration down, apply version control, and cross-reference it against your PICS before sending anything in.

5. Firmware Version Freeze

The certificate issued by the OCA ties directly to one specific firmware build. That means a cryptographic hash of your compiled codebase must stay completely untouched from the moment internal OCTT checks wrap up your OCPP certification process until the lab sends out its final report.

No patches. No bug fixes. No commits of any kind. Engineering teams used to continuous deployment pipelines consistently struggle with this requirement, but changing the firmware after the freeze wipes out all prior test reports and breaks the lab agreement.

The freeze is a formal sign-off from the CTO that the team has stopped all work on the release candidate.

The 4-Week Pre-Lab Checklist

Go into the lab session as a performance audit, not an exploratory test. The fees for the OCPP certification process cover one full test run, with debugging and retesting billed separately. Use the four weeks before your session to work through every possible source of failure.

• Week 4, Internal OCTT Audit and Profile Finalization: Lock the PICS document and run the OCTT continuously against your release candidate. Track down edge-case failures in asynchronous message handling. If any optional profile falls apart under simulated load, cut it from the PICS now. By the end of this week, your firmware must pass all declared profiles with zero failures during the OCPP certification process.
  
• Week 3, Cryptographic Validation and State Machine Stress Testing: Switch focus over to security and fault tolerance. Test Security Profile 2 and Advanced Security Profile 3 against simulated hostile network conditions. Check that PKI material generation and storage hold up. Push your state machine by simulating hardware faults mid-transaction, such as ground fault trips or overvoltage events, and verify that the firmware puts out correct fault payloads rather than silently dropping connections.
  
• Week 2, Firmware Freeze and Configuration Lockdown: Compile the firmware, generate its cryptographic hash, and lock it in version control. No further commits under any circumstances. Generate the charger configuration snapshot and check it against the finalized PICS. Put together the complete documentation package and send it off to the lab portal.
  
• Week 1, Environmental Replication and Final Logistics: Set up your internal environment to match the exact lab setup, including hardware configurations, connector counts, and network layout. Run mock certification sessions with zero developer input or console access. If issues come up now before the OCPP certification process is started, you cannot patch them. Write up the behavior within spec or decide to pull out and reschedule rather than take on a recorded failure.

8 OCTT Failure Patterns We See Most

Even well-prepared teams consistently run into the same points of failure. These eight patterns account for the majority of first-attempt failures during the OCPP certification process:

1. BootNotification Sequencing and State Synchronization: Firmware that sends heartbeats, status updates, or authorization requests before BootNotification is officially accepted by the server fails right away. The OCTT picks up this race condition as a basic flaw in asynchronous state management.
   
2. Websocket Disconnection and Retry Algorithm Failures: The lab will deliberately cut your TCP connection mid-test. If your firmware uses a non-compliant exponential backoff, drops offline transactions, or breaks transaction state upon reconnection during the OCPP certification process, the test fails.
   
3. Malformed JSON Payloads and Type Enforcement: Passing an integer as a string, leaving out a mandatory field, or a single case-sensitivity error in an otherwise clean transaction sequence causes a conformance failure. The OCTT checks payload structure without any exceptions.
   
4. TLS Handshake Breakdowns: Failure to check the server's certificate chain, incorrect client certificate presentation, wrong cipher suite handling, or failing to get a secure websocket connection set up within strict timeout limits will void the security certification.
   
5. Smart Charging Composite Profile Stacking Conflicts: When your device takes in overlapping grid-level, connector-level, and default charging profiles at the same time, the firmware must work out the most restrictive power limit at any given moment. Wrong algorithmic resolution or slow dynamic adjustment causes failure.
   
6. Errata and Unrecognized Message Handling: Labs test against the most current OCA errata baseline. Firmware built on out-of-date documentation fails edge cases that were sorted out in recent errata. Firmware must also respond to unrecognized messages with the correct error payload, not a crashed websocket thread.
   
7. Offline Authorization and Cache Mismanagement: The OCTT tests charger behavior when the network goes down completely. Your firmware must correctly look up its local authorization cache to approve or reject RFID tags. Failure to clear the cache on a ClearCache command, or approving a stale identifier, causes failure.
   
8. Transaction State Corruption During Hardware Faults: When a connector runs into a simulated fault mid-transaction, the firmware must cut off power transfer, update the connector state to Faulted, and send out a StopTransaction payload with the correct reason code. Firmware that reports a Charging state while physically putting out zero power fails the run.

Cost and Timeline Expectations for the OCPP Certification process

OCPP certification costs go up with hardware type (AC vs DC), protocol version, optional profiles declared, and OCA membership status. These are the maximum fees for one full test run, with pretesting, debugging, and retesting billed separately.

OCPP 1.6 Maximum Fees:

• AC Charging Station: 4,100 euros (OCA participant) / 7,600 euros (non-participant)
• DC Charging Station: 5,100 euros (OCA participant) / 8,600 euros (non-participant)
• CSMS: 3,000 euros (OCA participant) / 6,500 euros (non-participant)

OCPP 2.0.1 Maximum Fees (Mandatory Profile plus Additional Profiles):

• AC Charging Station: up to 10,300 euros (OCA participant) / 13,800 euros (non-participant)
• DC Charging Station: up to 13,000 euros (OCA participant) / 16,500 euros (non-participant)
• CSMS: up to 5,600 euros (OCA participant) / 9,100 euros (non-participant)
  

On top of lab fees, set aside a budget for internal pre-testing tools. Isolated OCTT runs outside structured programs can come in at around 5,000 USD per test.

On timelines: CALeVIP required proof of OCPP 1.6 certification by January 1, 2024, and full OCPP 2.0 certification by January 1, 2025. NEVI rolls out interoperability standards across the entire domestic US charging network.

Because of these back-to-back deadlines, lab capacity at DEKRA and DNV is heavily constrained. The full cycle, from internal OCTT checks to lab booking, test execution, and certificate issuance, can run to three to six months.

A failed first attempt puts you back at the end of the queue, which may mean missing an entire funding cycle.

Getting Compliant With OCPP Certification Process on Patches and Feature Releases

The OCPP certification process marks the start of a compliance lifecycle, not the end of it.

Your certificate ties directly to one specific firmware version. Any firmware change, including a minor bug fix, technically results in an uncertified device unless recertification gets carried out. If you want to add a related product to an existing certificate without a full re-evaluation, the product must qualify as an OCPP product family member.

This covers minor hardware changes such as display size updates or casing modifications that don't alter the protocol communication stack. The cost comes down considerably at 500 euros per product family member from the lab, plus a 250 euro OCA administrative fee.

That exemption doesn't apply to fundamental firmware changes. Adding ISO 15118 Plug and Charge after certification requires a full re-evaluation of that profile.

Beyond the protocol itself, stay on top of two additional ongoing requirements:

• Operational uptime mandates: Funding agreements tied to OCPP compliance, including CEC and NEVI programs, call for greater than 97% uptime per year for five years post-deployment, with annual preventative maintenance and corrective maintenance wrapped up within five business days of a reported failure.
  
• Shifting OCA baselines: The October 2025 update to the OCPP 1.6 program moves Firmware Management and Security Profile 2 into the mandatory profile. Legacy certificates without these security updates will lose market relevance as procuring agencies push up their minimum requirements. Keep track of OCA errata releases, application notes, and whitepapers on an ongoing basis.

Want to know more about how we specialize with this at Entrans? Book a free consultation call!