SERVER CERTIFICATE ORDERING INSTRUCTIONS

Special characters

  • Scandinavian characters may be used in Organization (O) and Locality (L) values with no special arrangements. A limitation is use of UTF-8 character set. In Linux systems this character set is default. In Windows and Apple systems UTF-8 is not the default character set. A CSR created in these systems is invalid. If using OpenSSL, please use option -utf8
  • A domain cannot directly contain any other characters than a-z, 0-9 and -. If special letters are required, the domain must be entered as punycode encoded.
  • Other special characters, like underscore (_) are not allowed.

Administrative contact person

Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.

The server name

Common Name or Subject Alternative Name is for example www.company.com or IP-address 123.4.5.6. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:

  • by creating a Certificate Signing Request with all CN- and SAN-values
  • by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.

DNS names www.company.com and company.com

Telia offers a DNS name with and without www prefix for same price. An order must contain SAN values for both www.company.com and company.com for this to work. Telia recommends adding the missing version at tab 3 using button ADD DOMAIN/IP. Both names can also be included into CSR when CSR is created.
When both names are in your certificate, both addresses https://www.company.com and https://company.com will work.

Forbidden names & IP addresses

The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:

Forbidden CN/SAN valueExample
Unregistered top-level domain.local
No domain presentEXCHANGESERVER1
Private IP address10.x.x.x169.254.x.x172.16.x.x - 172.31.x.x192.168.x.x

A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)

Key length

Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:

  • prime256v1
  • secp384r1

Changes in certification hierarchy

Current root certificate for Telia Certificate Service certificates is called TeliaSonera Root CA v1.

Telia is moving to new Telia Root CA v2 root certificate. Mentioned certificate is not yet included in all operating systems and browsers. Thus it is not used for certificate issuance at the moment. During transition period a three-tier hierarchy will be used.

The trust chain for Telia server certificates is shown in the table below:

Certification hierarchyRoot level*Intermediate levelEnrolling levelServer level
Current chain for OVTeliaSonera Root CA v1TeliaSonera Server CA v2server.com
Current chain for DVTeliaSonera Root CA v1Telia Domain Validation CA v2server.com
Transition period chain for OVTeliaSonera Root CA v1Telia Root CA v2 intermediateTelia Server CA v3server.com
Transition period chain for DVTeliaSonera Root CA v1Telia Root CA v2 intermediateTelia Domain Validation CA v3server.com
Future chain for OV**Telia Root CA v2Telia Server CA v3server.com
Future chain for DV**Telia Root CA v2Telia Domain Validation CA v3server.com

* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy is not yet supported in all operating systems and browsers.

The necessary root certificates are included in your certificate delivery. They are also available via links in the table above or from a download page

Instructions on the values of the CSR

Value Example Mandatory Notes
(CN) Common name www.company.com /
*.company.com
Yes A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name.
(OU) Organizational unit - Forbidden This value is not included in certificates issued by Telia. Use of OU was deprecated by CA/Browser Forum in 2022.
(O) Organization Oy Yritys Ab Yes The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database.
(L) Locality Helsinki Yes The official home municipality for the organization defined in O value. Not the location of the server!
(ST) State - Not used This value is not included in certificates issued by Telia.
(C) Country FI Yes The ISO3166 country code for the organization defined in O value. It has always two letters.
(E) Email - No This value is not included in certificates issued by Telia.

Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.

If you use scandinavian or other non-ASCII characters in certificate data fields, please use UTF-8 character encoding. For example, in OpenSSL option -utf8 has to be included when you create a CSR.

FullSSL customers have a limited set of localities which have been validated as official localities for this organization.

The composition of a registered address

A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.

Authorization of use of your organization and domain names to another company

If you wish to delegate certificate enrollment and maintenance to another company, you need to fill in a special authorization form. The form is found from side menu of this page.

Domain Control Validation as a proof of control over a domain

Since 2018 one of four designated methods must be used to verify domain control. Domain control has to be validated always when a domain has never before been used at Telia Certificate Service for certificate issuance. Read more...

CREATION OF A PRIVATE KEY

Creation of a private key with OpenSSL

APPLICATION-SPECIFIC INSTRUCTIONS

Apache
Microsoft IIS
Oracle Java
Tomcat