HTTPS in PTP 650/670 - Keys and certificates

If you haven’t already, please read HTTPS in PTP 650/670 - Introduction

ODU certificate subject

The subject of the ODU certificate can be an IP address or a DNS name.

In the past, browsers could read the subject of the certificate from the Common Name field (even though this is discouraged in standards). More recently, browsers pay more attention to standards, and they ignore the Common Name field, expecting instead for the IP address or DNS name to be in the Subject Alternative Name (SAN) field. Current browsers generate a warning if the subject is not in the SAN field.

When the IP address is in the Common Name field it should be formatted as a text string with dotted punctuation, for example When the IP address is in the SAN field it is automatically converted to binary format.


The private key and public certificate installed in the ODU must be in the DER format. The PEM format cannot be used directly, but it is straightforward to convert it to DER.

ODU certificate key size and signing algorithm

PTP 650, PTP 670 and PTP 700 require the following certificate sizes:

Up to 650-01-40:

  • 2048-bit SHA-1
  • 2048-bit SHA-256

From 650-01-41:

  • 2048-bit SHA-256

PTP 670 and PTP 700

  • 2048-bit SHA-256

Root CA certificate

ODU certificates must be issued by (in other words, signed by) a certification authority (CA). The CA will normally be created by the wireless operator, or by a local security team.

The Root CA certificate will be installed in management platforms used with a web browser to manage the ODUs.

The Root CA private key is never installed in ODUs and must be kept completely secure. This key is the ultimate guarantee of security in the public key infrastructure created here.

Further reading

See also: