SERVER CERTIFICATE ORDERING INSTRUCTIONS

Special characters

• Scandinavian characters may be used in Organization (O) and Locality (L) values with no special arrangements. A limitation is use of UTF-8 character set. In Linux systems this character set is default. In Windows and Apple systems UTF-8 is not the default character set. A CSR created in these systems is invalid. If using OpenSSL, please use option -utf8
• A domain cannot directly contain any other characters than a-z, 0-9 and -. If special letters are required, the domain must be entered as punycode encoded.
• Other special characters, like underscore (_) are not allowed.

Administrative contact person

Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.

The server name

Common Name or Subject Alternative Name is for example www.company.com or IP-address 123.4.5.6. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:

• by creating a Certificate Signing Request with all CN- and SAN-values
• by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.

DNS names www.company.com and company.com

Telia offers a DNS name with and without www prefix for same price. An order must contain SAN values for both www.company.com and company.com for this to work. Telia recommends adding the missing version at tab 3 using button ADD DOMAIN/IP. Both names can also be included into CSR when CSR is created.
When both names are in your certificate, both addresses https://www.company.com and https://company.com will work.

Forbidden names & IP addresses

The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:

Forbidden CN/SAN value	Example
Unregistered top-level domain	.local
No domain present	EXCHANGESERVER1
Private IP address	10.x.x.x	169.254.x.x	172.16.x.x - 172.31.x.x	192.168.x.x

A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)

Key length

Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:

• prime256v1
• secp384r1

Changes in certification hierarchy

Current Telia certification chain for TLS consists of root certificate Telia Root CA v2 and intermediate certificate Telia Server CA v3 and Telia Domain Validation CA v3. The old chain beginning from TeliaSonera Root CA v1 will be valid up to year 2026.

The trust chain for Telia server certificates is shown in the table below:

Certification hierarchy	Root level*	Intermediate level	Enrolling level	Server level
Old chain for OV	TeliaSonera Root CA v1	Telia Root CA v2 intermediate	Telia Server CA v3 →	server.com
Old chain for DV	TeliaSonera Root CA v1	Telia Root CA v2 intermediate	Telia Domain Validation CA v3 →	server.com
Current chain for OV	Telia Root CA v2 →		Telia Server CA v3 →	server.com
Current chain for DV	Telia Root CA v2 →		Telia Domain Validation CA v3 →	server.com

* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.

The necessary root certificates are included in your certificate delivery. They are also available via links in the table above or from a download page