Special characters
A CSR must not include Scandinavian or other special characters.
Administrative contact person
Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.
The server name
Common Name or Subject Alternative Name is for example www.company.com or IP-address 123.4.5.6. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:
- by creating a Certificate Signing Request with all CN- and SAN-values
- by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.
Forbidden names & IP addresses
The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and its domain must be found in the DNS service. The table below specifies the forbidden values:
Forbidden CN/SAN value | Example | |||
Unregistered top-level domain | .local | |||
No domain present | EXCHANGESERVER1 | |||
Private IP address | 10.x.x.x | 169.254.x.x | 172.16.x.x - 172.31.x.x | 192.168.x.x |
A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)
Key length
Telia Certificate Service supports RSA and ECC keys. Minimum private key length for RSA keys is 2048-bit. Following elliptic curves are supported:
- prime256v1
- secp384r1
The new certification hierarchy, which replaces old Sonera Class 2 CA root certificate, consists of multiple levels as required by CA/Browser Forum Baseline Requirements. During the transition period the root certificate will be Sonera Class 2 CA, followed by TeliaSonera Root CA v1 (intermediate) and server certificates are enrolled under TeliaSonera Server CA v2. TeliaSonera Root CA v1 will replace completely Sonera Class 2 CA by 2020 and the intermediate level will be removed from the trust chain.
The trust chain from a root certificate to a server certificate is shown in the table below:
Certification hierarchy | Root level* | Intermediate level | Enrolling level | Server level |
Valid until 2021 (Still recommended for older Java servers) | Sonera Class 2 CA → | TeliaSonera Root CA v1 (intermediate) → | TeliaSonera Server CA v2 → | server.com |
Current recommendation** | TeliaSonera Root CA v1 → | TeliaSonera Server CA v2 → | server.com |
* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy may cause user security warnings if the users have very old devices or certificate is installed into obsolete Java certificate store.
The necessary root certificates can be downloaded from the links on the table above, from a download page or you can use precompiled root certificate packages found from application-specific instructions in the bottom of this page.
Value | Example | Mandatory | Notes |
(CN) Common name | www.company.com / *.company.com |
Yes | A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name. |
(OU) Organizational unit | IT Management | No | The use of this value is not recommended. If this value is used it defines the O value to a greater degree. OU must not contain names or trademarks of other companies. |
(O) Organization | Oy Yritys Ab | Yes | The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database. |
(L) Locality | Helsinki | Yes | The official home municipality for the organization defined in O value. Not the location of the server! |
(ST) State | - | Not used | This value is not included in certificates issued by Telia Company. |
(C) Country | FI | Yes | The ISO3166 country code for the organization defined in O value. It has always two letters. |
(E) Email | webmaster@ company.com |
No | This value is not included in certificates issued by Telia Company. |
Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.
If you use scandinavian or other non-ASCII characters in certificate data fields, please use UTF-8 character encoding. For example, in OpenSSL option -utf8
has to be included when you create a CSR.
FullSSL customers have a limited set of localities which have been validated as official localities for this organization. If an L value contains other than UTF-8 characters, Secure Manager will display an error when CSR is interpreted.
The composition of a registered address
A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.
Authorization of use of your organization and domain names to another company
If you wish to delegate certificate enrollment and maintenance to another company, you need to fill in a special authorization form. The form is found from side menu of this page.
Location of data file in Domain Control Validation method
When DCV file validation method is used to confirm domain control, a data file mus t be placed at a certain location on your web server. An example file name: telia_validation_data_file_20180308
Control address | An example of entire path | |
Linux | www.company.com/.well-known/pki-validation/telia_validation_data_file_20180308 | /var/www/html/.well-known/pki-validation/telia_validation_data_file_20180308 |
Windows | www.company.com/.well-known/pki-validation/telia_validation_data_file_20180308 | C:\well-known\pki-validation\telia_validation_data_file_20180308 |
APPLICATION-SPECIFIC INSTRUCTIONS
ApacheMicrosoft IIS
Oracle Java
Tomcat