Special characters

A CSR must not include Scandinavian or other special characters.

Administrative contact person

Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.

The server name

Common Name or Subject Alternative Name is for example or IP-address CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (* There are two options for entering a name / names into a server certificate order:

  • by creating a Certificate Signing Request with all CN- and SAN-values
  • by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.

Forbidden names & IP addresses

The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:

Forbidden CN/SAN valueExample
Unregistered top-level domain.local
No domain presentEXCHANGESERVER1
Private IP address10.x.x.x169.254.x.x172.16.x.x - 172.31.x.x192.168.x.x

A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)

Key length

Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:

  • prime256v1
  • secp384r1
Changes in certification hierarchy

The new certification hierarchy, which replaces old Sonera Class 2 CA root certificate, consists of multiple levels as required by CA/Browser Forum Baseline Requirements. During the transition period the root certificate will be Sonera Class 2 CA, followed by TeliaSonera Root CA v1 (intermediate) and server certificates are enrolled under TeliaSonera Server CA v2. TeliaSonera Root CA v1 will replace completely Sonera Class 2 CA by 2020 and the intermediate level will be removed from the trust chain.
The trust chain from a root certificate to a server certificate is shown in the table below:

Certification hierarchyRoot level*Intermediate levelEnrolling levelServer level
Valid until 2021 (Still recommended for older Java servers)Sonera Class 2 CATeliaSonera Root CA v1 (intermediate)TeliaSonera Server CA
Current recommendation**TeliaSonera Root CA v1TeliaSonera Server CA

* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy may cause user security warnings if the users have very old devices or certificate is installed into obsolete Java certificate store.

The necessary root certificates can be downloaded from the links on the table above, from a download page or you can use precompiled root certificate packages found from application-specific instructions in the bottom of this page.

Instructions on the values of the CSR

Value Example Mandatory Notes
(CN) Common name /
Yes A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name.
(OU) Organizational unit IT Management No The use of this value is not recommended. If this value is used it defines the O value to a greater degree. OU must not contain names or trademarks of other companies.
(O) Organization Oy Yritys Ab Yes The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database.
(L) Locality Helsinki Yes The official home municipality for the organization defined in O value. Not the location of the server!
(ST) State - Not used This value is not included in certificates issued by Telia Company.
(C) Country FI Yes The ISO3166 country code for the organization defined in O value. It has always two letters.
(E) Email webmaster@
No This value is not included in certificates issued by Telia Company.

Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.

If you use scandinavian or other non-ASCII characters in certificate data fields, please use UTF-8 character encoding. For example, in OpenSSL option -utf8 has to be included when you create a CSR.

FullSSL customers have a limited set of localities which have been validated as official localities for this organization. If an L value contains other than UTF-8 characters, Secure Manager will display an error when CSR is interpreted.

The composition of a registered address

A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.

Authorization of use of your organization and domain names to another company

If you wish to delegate certificate enrollment and maintenance to another company, you need to fill in a special authorization form. The form is found from side menu of this page.

Location of data file in Domain Control Validation method

When DCV file validation method is used to confirm domain control, a data file mus t be placed at a certain location on your web server. An example file name: telia_validation_data_file_20180308

Control addressAn example of entire path\well-known\pki-validation\telia_validation_data_file_20180308
It is not possible to use a . in Windows file names and paths. In order to create a correct address in IIS, you need to create a virtual directory by clicking right mouse button on the name of your web server name and by choosing Add virtual directory from menu. Enter as alias .well-known and add path C:\well-known\pki-validation into text box named Physical path.


Microsoft IIS
Oracle Java