If you haven’t already done so, please read Generate HTTPS Certificates for PTP 650/670 - Create the CA. In this earlier topic we created a private key and a certificate for a local Certification Authority (CA).
Now we’re going to create individual keys and certificates to install on the PTP 650/670 ODUs, signed by the local CA. We’re using OpenSSL version 1.1.1k here. We’re creating certificates where the subject is the IP address of the ODU; in this example it’s 10.130.159.44. Of course, you should use the IP address of your own ODU. As an alternative, it’s possible to use a DNS name (in other words, FQDN) if you have DNS in your network. We’re using “ptp670” as the host name, but you should use a unique name for each ODU.
To use just the IP address, create a text file
10-130-159-44-ext.txt containing the following:
subjectAltName = IP:10.130.159.44
If you want to use a DNS name and an IP Address, create the text file with the following:
subjectAltName = DNS:ptp670.aardvark.com, IP:10.130.159.44
Generate the ODU private key in the PEM format:
openssl genrsa -out 10-130-159-44-key.pem 2048
Generate a certificate signing request (essentially an unsigned certificate). Use appropriate details for your network:
openssl req -new -sha256 -subj "/C=GB/ST=Devon/L=Ashburton/O=Aardvark Enterprises/OU=Wireless/CN=10.130.159.44" -key 10-130-159-44-key.pem -out 10-130-159-44-csr.pem
Sign the request using the CA private key, outputting the signed certificate in the DER format:
openssl x509 -req -days 3650 -in 10-130-159-44-csr.pem -extfile 10-130-159-44-ext.txt -CA aardvark-ca-cert.pem -CAkey aardvark-ca-key.pem -CAcreateserial -outform DER -out 10-130-159-44-cert.der
In the signing step above, we include the certificate extensions in file
10-130-159-44-ext.txt. If any readers can see a more straightforward way to do this, then please comment below.
Finally, convert the ODU key to the DER format:
openssl rsa -in 10-130-159-44-key.pem -outform DER -out 10-130-159-44-key.der
You can inspect the ODU certificate in the DER format in Windows. Expect to see something like this:
In the details tab, we see the the IP address and/or DNS name of the ODU in the SAN field like this:
If you’ve added the Root CA cert to the Windows trusted CA certificate store, then the Certification Details tab of the ODU certificate looks like this:
If you’ve followed the process so far, I’m sure you’ll be as pleased as I was to see “This certificate is OK.”.
You can now install the ODU key and certificate (10-130-159-44-key.der and 10-130-159-44-cert.der in this example) in the ODU with the matching IP address (or DNS name).
Expect to see the padlock icon in the web browser, without any browser warnings:
Repeat this exercise for each of your PTP 650/670 ODUs.