To enable a secure server connection with the customer, Tesla requires the following components:

• Bi-directional server certificates
• Whitelist of IP addresses for both client and server

Unique X.509 server certificates are generated from a certificate authority (CA) managed by Tesla, and not a third party CA (e.g. Comodo, Digicert). Certificates may be requested from Tesla and are renewed periodically. Certificates may also be renewed upon request. Refer to API Access for more detailed instructions about obtaining certificates.

Tesla will perform the following configuration:

• A fixed public IP address listening on port 443
• A DNS record mapping to the public IP address for the Powerhub API
• Authentication via a valid X.509 server certificate for the hostname associated with the IP address
• Require mutually authenticated HTTPS
• Accept connections only from clients that present a valid X.509 client certificate, issued by the CA
• A perimeter firewall that accepts only client connections from the source IP(s) specified by the customer

Tesla requires that the customer performs the following:

• Configure the HTTPS client to only initiate connections to servers that present a valid X.509 server certificate
• Configure the HTTPS client to authenticate via a valid X.509 certificate
• Configure its perimeter firewall to allow its client to connect only to specified Tesla IP addresses

The customer’s HTTPS client should be configured to trust only the Tesla-issued CA and client certificates. A certificate issued by a third-party CA (e.g. Comodo, Digicert) for the same client names should be refused. From time to time, Tesla may need to change the fixed IP or renew certificates. Advanced notice is provided before such changes.