If you haven’t already, please read HTTPS in PTP 650/670 - Introduction
ODU certificate subject
The subject of the ODU certificate can be an IP address or a DNS name.
In the past, browsers could read the subject of the certificate from the Common Name field (even though this is discouraged in standards). More recently, browsers pay more attention to standards, and they ignore the Common Name field, expecting instead for the IP address or DNS name to be in the Subject Alternative Name (SAN) field. Current browsers generate a warning if the subject is not in the SAN field.
When the IP address is in the Common Name field it should be formatted as a text string with dotted punctuation, for example 169.254.1.1. When the IP address is in the SAN field it is automatically converted to binary format.
Format
The private key and public certificate installed in the ODU must be in the DER format. The PEM format cannot be used directly, but it is straightforward to convert it to DER.
ODU certificate key size and signing algorithm
PTP 650, PTP 670 and PTP 700 require the following certificate sizes:
Up to 650-01-40:
- 2048-bit SHA-1
- 2048-bit SHA-256
From 650-01-41:
- 2048-bit SHA-256
PTP 670 and PTP 700
- 2048-bit SHA-256
Root CA certificate
ODU certificates must be issued by (in other words, signed by) a certification authority (CA). The CA will normally be created by the wireless operator, or by a local security team.
The Root CA certificate will be installed in management platforms used with a web browser to manage the ODUs.
The Root CA private key is never installed in ODUs and must be kept completely secure. This key is the ultimate guarantee of security in the public key infrastructure created here.
Further reading
See also: