- Scandinavian characters may be used in Organization (O) and Locality (L) values with no special arrangements. A limitation is use of UTF-8 character set. In Linux systems this character set is default. In Windows and Apple systems UTF-8 is not the default character set. A CSR created in these systems is invalid. If using OpenSSL, please use option
- A domain cannot directly contain any other characters than a-z, 0-9 and -. If special letters are required, the domain must be entered as punycode encoded.
- Other special characters, like underscore (_) are not allowed.
Administrative contact person
Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.
The server name
Common Name or Subject Alternative Name is for example www.company.com or IP-address 188.8.131.52. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:
- by creating a Certificate Signing Request with all CN- and SAN-values
- by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.
DNS names www.company.com and company.com
Telia offers a DNS name with and without www prefix for same price. An order must contain SAN values for both www.company.com and company.com for this to work. Telia recommends adding the missing version at tab 3 using button ADD DOMAIN/IP. Both names can also be included into CSR when CSR is created.
When both names are in your certificate, both addresses https://www.company.com and https://company.com will work.
Forbidden names & IP addresses
The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:
|Forbidden CN/SAN value||Example|
|Unregistered top-level domain||.local|
|No domain present||EXCHANGESERVER1|
|Private IP address||10.x.x.x||169.254.x.x||172.16.x.x - 172.31.x.x||192.168.x.x|
A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)
Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:
Changes in certification hierarchy
Current root certificate for Telia Certificate Service certificates is called TeliaSonera Root CA v1.
Telia is moving to new Telia Root CA v2 root certificate. Mentioned certificate is not yet included in all operating systems and browsers. Thus it is certificate issuance currently uses a three-tier hierarchy during the transition period. This hierarchy uses as a cross-signing certificate an intermediate certificate called Telia Root CA v2 (intermediate), which is signed by TeliaSonera Root CA v1.
The trust chain for Telia server certificates is shown in the table below:
|Certification hierarchy||Root level*||Intermediate level||Enrolling level||Server level|
|Transition period chain for OV||TeliaSonera Root CA v1||Telia Root CA v2 intermediate||Telia Server CA v3 →||server.com|
|Transition period chain for DV||TeliaSonera Root CA v1||Telia Root CA v2 intermediate||Telia Domain Validation CA v3 →||server.com|
|Future chain for OV**||Telia Root CA v2 →||Telia Server CA v3 →||server.com|
|Future chain for DV**||Telia Root CA v2 →||Telia Domain Validation CA v3 →||server.com|
* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy is not yet supported in all operating systems and browsers.
The necessary root certificates are included in your certificate delivery. They are also available via links in the table above or from a download page
|(CN) Common name||www.company.com /
|Yes||A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name.|
|(OU) Organizational unit||-||Forbidden||This value is not included in certificates issued by Telia. Use of OU was deprecated by CA/Browser Forum in 2022.|
|(O) Organization||Oy Yritys Ab||Yes||The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database.|
|(L) Locality||Helsinki||Yes||The official home municipality for the organization defined in O value. Not the location of the server!|
|(ST) State||-||Not used||This value is not included in certificates issued by Telia.|
|(C) Country||FI||Yes||The ISO3166 country code for the organization defined in O value. It has always two letters.|
|(E) Email||-||No||This value is not included in certificates issued by Telia.|
Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.
If you use scandinavian or other non-ASCII characters in certificate data fields, please use UTF-8 character encoding. For example, in OpenSSL option
-utf8 has to be included when you create a CSR.
FullSSL customers have a limited set of localities which have been validated as official localities for this organization.
The composition of a registered address
A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.
Authorization of use of your organization and domain names to another company
If you wish to delegate certificate enrollment and maintenance to another company, you need to fill in a special authorization form. The form is found from side menu of this page.
Domain Control Validation as a proof of control over a domain
Since 2018 one of four designated methods must be used to verify domain control. Domain control has to be validated always when a domain has never before been used at Telia Certificate Service for certificate issuance. Read more...
CREATION OF A PRIVATE KEYCreation of a private key with OpenSSL