SERVER CERTIFICATE ORDERING INSTRUCTIONS

Special characters

• Scandinavian characters may be used in Organization (O) and Locality (L) values with no special arrangements. A limitation is use of UTF-8 character set. In Linux systems this character set is default. In Windows and Apple systems UTF-8 is not the default character set. A CSR created in these systems is invalid. If using OpenSSL, please use option -utf8
• A domain cannot directly contain any other characters than a-z, 0-9 and -. If special letters are required, the domain must be entered as punycode encoded.
• Other special characters, like underscore (_) are not allowed.

Administrative contact person

Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.

The server name

Common Name or Subject Alternative Name is for example www.company.com or IP-address 123.4.5.6. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:

• by creating a Certificate Signing Request with all CN- and SAN-values
• by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.

DNS names www.company.com and company.com

Telia offers a DNS name with and without www prefix for same price. An order must contain SAN values for both www.company.com and company.com for this to work. Telia recommends adding the missing version at tab 3 using button ADD DOMAIN/IP. Both names can also be included into CSR when CSR is created.
When both names are in your certificate, both addresses https://www.company.com and https://company.com will work.

Forbidden names & IP addresses

The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:

Forbidden CN/SAN value	Example
Unregistered top-level domain	.local
No domain present	EXCHANGESERVER1
Private IP address	10.x.x.x	169.254.x.x	172.16.x.x - 172.31.x.x	192.168.x.x

A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)

Key length

Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:

• prime256v1
• secp384r1

Changes in certification hierarchy

Current root certificate for Telia Certificate Service certificates is called TeliaSonera Root CA v1.

Telia is moving to new Telia Root CA v2 root certificate. Mentioned certificate is not yet included in all operating systems and browsers. Thus it is certificate issuance currently uses a three-tier hierarchy during the transition period. This hierarchy uses as a cross-signing certificate an intermediate certificate called Telia Root CA v2 (intermediate), which is signed by TeliaSonera Root CA v1.

The trust chain for Telia server certificates is shown in the table below:

Certification hierarchy	Root level*	Intermediate level	Enrolling level	Server level
Transition period chain for OV	TeliaSonera Root CA v1	Telia Root CA v2 intermediate	Telia Server CA v3 →	server.com
Transition period chain for DV	TeliaSonera Root CA v1	Telia Root CA v2 intermediate	Telia Domain Validation CA v3 →	server.com
Future chain for OV**	Telia Root CA v2 →		Telia Server CA v3 →	server.com
Future chain for DV**	Telia Root CA v2 →		Telia Domain Validation CA v3 →	server.com

* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy is not yet supported in all operating systems and browsers.

The necessary root certificates are included in your certificate delivery. They are also available via links in the table above or from a download page