Generate HTTPS Certificates for PTP 650/670 - Create ODU certificates

If you haven’t already done so, please read Generate HTTPS Certificates for PTP 650/670 - Create the CA. In this earlier topic we created a private key and a certificate for a local Certification Authority (CA).

Now we’re going to create individual keys and certificates to install on the PTP 650/670 ODUs, signed by the local CA. We’re using OpenSSL version 1.1.1k here. We’re creating certificates where the subject is the IP address of the ODU; in this example it’s Of course, you should use the IP address of your own ODU. As an alternative, it’s possible to use a DNS name (in other words, FQDN) if you have DNS in your network. We’re using “ptp670” as the host name, but you should use a unique name for each ODU.

To use just the IP address, create a text file 10-130-159-44-ext.txt containing the following:

subjectAltName = IP:

If you want to use a DNS name and an IP Address, create the text file with the following:

subjectAltName =, IP:

Generate the ODU private key in the PEM format:

openssl genrsa -out 10-130-159-44-key.pem 2048

Generate a certificate signing request (essentially an unsigned certificate). Use appropriate details for your network:

openssl req -new -sha256 -subj "/C=GB/ST=Devon/L=Ashburton/O=Aardvark Enterprises/OU=Wireless/CN=" -key 10-130-159-44-key.pem -out 10-130-159-44-csr.pem

Sign the request using the CA private key, outputting the signed certificate in the DER format:

openssl x509 -req -days 3650 -in 10-130-159-44-csr.pem -extfile 10-130-159-44-ext.txt -CA aardvark-ca-cert.pem -CAkey aardvark-ca-key.pem -CAcreateserial -outform DER -out 10-130-159-44-cert.der

In the signing step above, we include the certificate extensions in file 10-130-159-44-ext.txt. If any readers can see a more straightforward way to do this, then please comment below.

Finally, convert the ODU key to the DER format:

openssl rsa -in 10-130-159-44-key.pem -outform DER -out 10-130-159-44-key.der

You can inspect the ODU certificate in the DER format in Windows. Expect to see something like this:

In the details tab, we see the the IP address and/or DNS name of the ODU in the SAN field like this:

If you’ve added the Root CA cert to the Windows trusted CA certificate store, then the Certification Details tab of the ODU certificate looks like this:

If you’ve followed the process so far, I’m sure you’ll be as pleased as I was to see “This certificate is OK.”.

You can now install the ODU key and certificate (10-130-159-44-key.der and 10-130-159-44-cert.der in this example) in the ODU with the matching IP address (or DNS name).

Expect to see the padlock icon in the web browser, without any browser warnings:


Repeat this exercise for each of your PTP 650/670 ODUs. :smiley: