Security certificates and browser warnings for HTTPS in PTP 500 and PTP 600

PTP 300/500 and PTP 600 support secure access to the web-based management using the HTTPS/TLS protocol. This protocol prevents eavesdropping on traffic between a web browser and the ODU, and also authenticates the ODU to the browser.

To use HTTPS, you need to apply the AES upgrade, and you also need to generate and install a key pair consisting of a private key and a public key certificate.

System Release PTP 500-05-04 accepts only certificates with 1024-bit key size, whilst PTP 600-10-08 accepts either 1024-bit or 2048-bit keys. In both cases, the ODU accepts and uses certificates signed using SHA-1 or SHA-256.

Some web browsers now generate warnings on the use of SHA-1. For example, Google Chrome generates this warning:

Chrome Padlock Red.png

When we click on the padlock icon, Chrome provides this information:

Chrome Padlock Red Details.png

It's interesting that the browser is identifying the use of SHA-1, but is apparently happy with the 1024-bit key size.

If the certificate is replaced with one signed using SHA-256, the browser warnings disappear and we see the attractive green padlock icon:

Chrome Padlock Green.png

On the other hand, Mozilla Firefox doesn't generate a warning for SHA-1 and provides this green padlock display for SHA-1 or SHA-256:

Firefox Padlock Green.png

If your organisation accepts SHA-1, it's reasonable to continue using existing certificates, but the browser warning from Chrome should not be ignored, as it might be alerting you to other, more serious, problems. A safe strategy is to replace exising SHA-1 certificates now.

PTP 650 and PTP 700

Please see Security-certificates-for-HTTPS-in-PTP-650 for similar information about these products.