CA VALIDATION OF DOMAIN NAMES

Server certificate domain name ownership needs to be validated before a certificate can be issued. Current validation methods are described below. User has to choose the preferred method by him/herself using “Request domains” in certificate portal or during single certificate order flow. After the actual validation there may be one hour delay before the domain is visible in Telia certificate portal.

DNS method
Customer or DNS operator must add a validation string to the TXT record of DNS service under the domain using normal DNS maintenance processes. Customer administrator can either copy the string directly from portal or send an email to DNS operator with instructions via. In case of a single order, the data must be sent via email to DNS maintenance. Telia Certificate service will regularly poll the TXT record. When the string is available in the DNS, the domain name will be authorized for use in Telia certificate portal in portal case. In single order case the domain will appear as validated to Telia delivery team and they will proceed with handling of the order. Please note:

  • It may take several hours before DNS gets updated. Telia recommends a TTL value of 300 seconds during validation process
  • Do not place the string at your webserver
  • Choose this method if your device is not accessible from public Internet
  • DNS method cannot be used for validation of IP addresses

File method
Customer must add validation string as a file to a specific path on a web server which is set to serve the requested domain name. Customer administrator can either copy the string diretcly from portal or send an email to administrator of the server as an email. In case of a single order, the data must be sent via email to server maintenance.

Telia Certificate service will regularly poll the website. When the file is available, the domain name or IP address will be authorized for use in Telia certificate portal in portal case. In single order case the domain will appear as validated to Telia delivery team and they will proceed with handling of the order.

Please note these issues when using file validation:

  • your server must be running and accessible from public Internet when using file method
  • you can set the validation file either with file suffix .txt or with no suffix at all
  • after November 2021 it is not possible to validate wildcard orders (domain name format: *.example.com) using file validation
  • after November 2021 it is not possible to validate entire domains (domain name format: .example.com) using file validation

Below are examples of Telia-provided validation file telia_validation_data_file_20180308:

Validation AddressAn example of path in file system
Linuxwww.yritys.fi/.well-known/pki-validation/telia_validation_data_file_20180308/var/www/html/.well-known/pki-validation/telia_validation_data_file_20180308
Windowswww.yritys.fi/.well-known/pki-validation/telia_validation_data_file_20180308C:\well-known\pki-validation\telia_validation_data_file_20180308
It is not possible to include a dot (.) in a path in Windows. When using IIS, you must add a virtual directory by clicking right mousebutton on the name of your server and by choosing Add virtual directory. Set as an alias .well-known and add to Physical path box a path called C:\well-known\pki-validation

Email method
Certificate applicant sends email via Telia Certificate service to the email addresses available at WHOIS service and/or standard email addresses 'admin@', 'administrator@', 'webmaster@', 'hostmaster@', or 'postmaster@' followed by the domain name in question. Any of the receivers will have to click on the link in the message and authorize the domain to the Applicant. After successful validation the domain name is available to applicant at Telia certificate portal or in case of a single order, handling proceeds to next step. Please check before using this method the availability of email boxes iand access to them for mentioned addresses.

Phone method
In this validation method Telia is allowed to use only contact phone numbers that are shown at the domain register or at an IP register. Customer has to check that WHOIS service (e.g. whois.net) or IP registry (like ripe.net) includes correct contact phone number related to the domain/IP address and the person answering to this number has the authority to say "yes" when Telia calls to the number and asks if Applicant is authorized to use the domain/IP address in server certificates. After the call the domain/IP address appears as available in certificate portal or in case of a single order, handling proceeds to next step. Note! Domain registrars in Telia countries have removed all telephone numbers from domain records because of GDPR. Thus this method is available only for IP address certificates.




Suitability of the methods
Some methods are better suited for validation of single DNS names like webshop.company.com and some are better suited for validation of entire network domain like .company.com.

After validation of the entire domain it is possible to order certificates from Telia for all DNS names of the domain in question for a period of one year without a need for further validation. Validation of entire domain is recommended, but it is not always possible due to missing WHOIS information or privacy policies of certain domain registries. In these cases DNS method, which is independent of domain registry data, is the recommended method.

The table below lists recommendations for the validation method use:

Validation MethodA single DNS nameEntire domainIP-address
DNSRecommendedRecommendedNot available
FileRecommendedNot availableRecommended
EmailNot recommendedRecommendedRecommended
TelephoneNot recommendedNot recommendedRecommended