Telia offers certificate and remote access services in Finland and Sweden.
CERTIFICATE SERVICE CONTACT
A CHANGE IN TELIA CA HIERARCHY
Telia CA has updated its CA hierarchy related to publicly trusted TLS and Client certificates on Oct 1st, 2022. This change was done to provide to Telia CA customers new CA hierarchy, new Telia names and URLs, longer validity times and the most recent certificate profiles.
The old Telia Root (TeliaSonera Root CA v1) is already 15 years old but it is still functional and safe for a long time. All old already delivered Telia certificates can be used until they naturally expire.
From October 1st, 2022 all new Telia TLS certificates will be issued by a new Telia Server CA v3 (OV) or Telia Domain Validation CA v3 (DV) and from November 1st 2022 all new Telia Client certificates will be issued by a new Telia Class 1 CA v3 (FI) or Telia Class 2 CA v3 (SE).
CHANGE IN TLS CERTIFICATES
All new Subscriber Certificate deliveries contain the new CA hierarchy as illustrated below:
|TeliaSonera Root CA v1||→||Telia Root CA v2*||→||Telia subCA v3||→||End-Entity certificate|
* cross-certified by Telia’s old root
Alternatively Customer may choose to use the hierarchy below, remembering as a prerequisite that the new hierarchy may only be available in the recent versions of operating system’s / browser’s root storages. Telia’s root Certificate Authority ”Telia Root CA v2” has been included in operating systems / browsers less than one (1) year. For older Operating systems / Browser versions the trust is more likely guaranteed by using above Telia CA hierarchy.
|Telia Root CA v2||→||Telia subCA v3||→||End-Entity certificate|
In the most TLS cases it is not essential to put the correct CA hierarchy to Customer devices but in some cases (Android, Java, Apple) there may appear trust issues if the CA hierarchy is not according to information above. Telia CA recommends that configuration is always tested after TLS certificate installation by using special tools for that purpose (for example SSLLabs SSLTest). That will guarantee that Customer installation has been done correctly and trust will work.
CHANGE IN CLIENT CERTIFICATES
In Client installation the delivered PKCS#12 package will always include the correct CA hierarchy, but devices that will verify Clients have to be updated manually to accept the new hierarchy and certificate status.
New certificates are available for download at Telia CA Repository.
A CHANGE IN TELIA CERTIFICATE PORTAL AUTHENTICATION
Telia CA shall cease supporting software certificate as an authentication option to Telia Certificate Portal. Authentication to portal will be switched to use SMS based authentication on September 1st 2022. Users are required to enable SMS-OTP login method before September.
Telia's ambition is to strengthen user security in Telia Certificate portal by applying multi-factor authentication, where users are required to use multiple independent credential factors (a personal password and possession of a mobile phone to receive a one-time authentication token, so-called SMS-OTP). Single factor software certificate based authentication no longer meets this requirement.
In Telia's continued efforts to improve and better security, Telia shall continuously evaluate other multi-factor authentication methods to be made available for end-user authentication to Telia certificate portal in the future. Currently only available two-factor authentication for Telia Certificate Portal login is the SMS-OTP based method.
Users are required to add their mobile phone number to portal user details tab and to set SMS-OTP as their login method before support for software certificate based authentication will be discontinued in the Telia certificate portal.
Please contact email@example.com if you are unable to set a telephone number to your user tab or if you experience problems in enabling your SMS-OTP authentication.
A CHANGE IN FILE VALIDATION WHEN A DOMAIN CONTAINS AN *
CA / Browser Forum will change Domain Control File Validation rules. Domain names containing a wildcard character * (example: *.domain.com) cannot be validated using file method after December 1st, 2021. Please use DNS, email or phone method for these domain validations.