Providing standards, tools and services
for the automotive supply chain

  • News
  • OFTP2 and Digital Certificate Policy

OFTP2 and Digital Certificate Policy

Operational Impact of Certificate Lifetime Changes

Recent decisions by the CA/Browser Forum will significantly reduce the validity period of certificates used for public web servers. While these changes are appropriate for internet-facing applications, OFTP2 environments operate very differently.

OFTP2 connections are actively managed, point-to-point relationships between known business partners, more comparable to VPN connections than public websites. In addition, the protocol requires regular verification of certificate revocation information through Certificate Revocation Lists (CRLs), addressing one of the key security concerns associated with longer certificate lifetimes.

Within the automotive sector, there is broad recognition that much shorter certificate validity periods are impractical for the OFTP2 environment. Frequent renewal cycles would introduce operational overhead without delivering proportional security benefits in managed, partner-controlled environments.

As a result, industry practice continues to support the use of end-user certificates with validity periods of between one and four years, allowing organisations to balance security requirements with operational efficiency and stability.


Mutual Authentication Remains a Core Requirement

The CA/Browser Forum has also introduced changes that will remove the “TLS Client Authentication” attribute from publicly trusted TLS certificates. While this reflects the evolution of public web security practices, it introduces challenges for OFTP2 environments, where mutual authentication is a fundamental design principle of secure data exchange.

OFTP2 is based on the ability of both communication partners to verify each other’s identity. Alongside station identifiers, passwords and other security controls, certificate-based client authentication provides a strong mechanism for confirming that a connecting system is authorised to establish communication.

Maintaining this dual authentication model is considered a core requirement within the OFTP2 security framework and remains mandatory.


Operational Continuity of the Odette CA

In line with evolving security standards, the Odette Certificate Authority (CA) will continue to meet all industry-defined requirements and maintain full compliance with applicable specifications.

All certificates issued or renewed by the Odette CA in the past or in the foreseeable future will not require any changes to OFTP2 exchange processes or certificate handling.


Industry Recommendation

Automotive customers are encouraged to ensure that their suppliers confirm continued support from their certificate providers for OFTP2-compliant certificates, including appropriate validity periods, mutual authentication requirements, and required cryptographic standards.

In particular, organisations should assess whether certificates issued by general-purpose or public certificate authorities remain suitable for OFTP2 environments. Where specific OFTP2 requirements are not fully supported, organisations may need to consider specialised certificate providers, such as the Odette CA, which are aligned with OFTP2 operational and security requirements, to ensure long-term interoperability and continuity of service.

Back to News