Security

To enable a secure server connection with the customer, Tesla requires one of the following components:

  • Whitelist of IP addresses for both client and server
  • Client credential OR bi-directional server certificate
    Informational PurposesAn informational icon, calling your attention
    Note
    Tesla does not generate new bi-directional server certificates; existing certificates may be renewed by Tesla when specific criteria are met, but client credentials are the primary method to enable a secure server connection.
Figure 1. Security Infrastructure for Server-to-Server Integration

Client Credentials

Client credentials are created within Powerhub by users with the Owner role. Every client credential has a randomly generated secret that is used for requesting a Powerhub API token using the /v1/auth/token endpoint. This value only appears once the credential is added. Powerhub users must make their own copy of this secret and store it somewhere safe. There is no way to retrieve the secret after initial generation.

Every client credential must have a set expiration. Expiration times from one to 365 days in the future are supported.

Client credentials can be deleted by selecting the trash can icon next to a credential. This will cause any requests for an API token to the /v1/auth/token endpoint using the credential to fail. It may take up to ten minutes for Powerhub API tokens previously requested using the client credential to expire. Only users with the Owner role are able to delete client credentials.

All requests to the Powerhub API should come from a trusted source IP that has been added to the allowlist.

See API Access via Client Credentials for more information on generating client credentials.

Certificates

Unique X.509 server certificates are generated from a certificate authority (CA) managed by Tesla, and not a third party CA (e.g. Comodo, Digicert). Though certificates can no longer be requested from Tesla, existing certificates are renewed periodically upon request.

Tesla will perform the following configuration:
  • A fixed public IP address listening on port 443
  • A DNS record mapping to the public IP address for the Powerhub API
  • Authentication via a valid X.509 server certificate for the hostname associated with the IP address
  • Require mutually authenticated HTTPS
  • Require that requests to the /v2/asset/tokens endpoint only be made from trusted source IP(s) specified by the customer
Tesla requires that the customer performs the following:
  • Configure the HTTPS client to only initiate connections to servers that present a valid X.509 server certificate
  • Configure the HTTPS client to authenticate via a valid X.509 certificate
  • Configure its perimeter firewall to allow its client to connect only to specified Tesla IP addresses

The customer’s HTTPS client should be configured to trust only the Tesla-issued CA and client certificates. A certificate issued by a third-party CA (e.g. Comodo, Digicert) for the same client names should be refused. From time to time, Tesla may need to change the fixed IP or renew certificates. Advanced notice is provided before such changes.