Re: [EVDL] Cryptic Tesla Error Messages after “Update”

Mon, 01 Dec 2025 10:44:31 -0800 

No, these aren't the same as used for HTTPS, they are the same type (SSL),
but used to secure their backend data connection.  They are indeed
self-signed, but for whatever reason they only issue them for 2 year
validity.

The car must connect OVER THIS SAME CONNECTION within 30 days of expiration
to get updated certs.  so if your car happens to be offline for more than
30 days and you are in the 1 of 24 months, you permanently lose your certs.

Here's a typical one's metadata (stripped for privacy):
Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Tesla Motors Products CA
        Validity
            Not Before: Jul 23 17:50:09 2024 GMT
            Not After : Jul 23 17:50:09 2026 GMT
        Subject: OU = Tesla Motors, O = Tesla, L = Palo Alto, ST =
California, C = US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption


On Mon, Dec 1, 2025 at 9:46 AM Ron via EV <[email protected]> wrote:

> I don't know how Tesla is generating, renewing, or validating their
> certificates, but whatever they're doing might be a serious problem if
> their process includes getting a "real" certificate.
>
> Getting a "real" certificate (ie one issued by a trusted authority as
> opposed to just generating one yourself, known as "self-signing") comes
> with time limits. Those limits have been gradually reduced over the last
> decade or so and are now scheduled to be reduced to 47 days. (<
> https://www.ssl.com/article/preparing-for-47-day-ssl-tls-certificates/>)
>
> There are obviously ways for new and renewed certificates to be
> automatically trusted, otherwise we'd already have to be continually
> installing and updating certificates in our web browsers.
>
> I'm long retired from the field, but I don't think I've gone too far off
> track.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://lists.evdl.org/private.cgi/ev-evdl.org/attachments/20251201/a76c845b/attachment.htm>
_______________________________________________
Address messages to [email protected]
No other addresses in TO and CC fields
HELP: http://www.evdl.org/help/

Reply via email to