SERVER CERTIFICATE ORDERING INSTRUCTIONS

Special characters

A CSR must not include Scandinavian or other special characters.

Administrative contact person

Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.

The server name

Common Name or Subject Alternative Name is for example www.company.com or IP-address 123.4.5.6. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:

  • by creating a Certificate Signing Request with all CN- and SAN-values
  • by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in TeliaSonera SSL certificate ordering service.

Forbidden names & IP addresses

The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and it must be found in the DNS service. The table below specifies the forbidden values:

Forbidden CN/SAN valueExample
Unregistered top-level domain.local
No domain presentEXCHANGESERVER1
Private IP address10.x.x.x169.254.x.x172.16.x.x - 172.31.x.x192.168.x.x

A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)

Key length

Minimum private key length is 2048-bit.

Changes in certification hierarchy

The new certification hierarchy, which replaces old Sonera Class 2 CA root certificate, consists of multiple levels as required by CA/Browser Forum Baseline Requirements. During the transition period the root certificate will be Sonera Class 2 CA, followed by TeliaSonera Root CA v1 (intermediate) and server certificates are enrolled under TeliaSonera Server CA v2. TeliaSonera Root CA v1 will replace completely Sonera Class 2 CA by 2019 and the intermediate level will be removed from the trust chain. Until the migration is complete, we recommend installation of three-tier certification hierarchy to the servers.
The trust chain from a root certificate to a server certificate is shown in the table below:

Certification hierarchyRoot level*Intermediate levelEnrolling levelServer level
Used until 2012Sonera Class 2 CAserver.com
Present recommendationSonera Class 2 CATeliaSonera Root CA v1 (intermediate)TeliaSonera Server CA v2server.com
Recommendation after 2017 **TeliaSonera Root CA v1TeliaSonera Server CA v2server.com

* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy may cause user security warnings if the users have very old devices or operating systems.

The necessary root certificates can be downloaded from the links on the table above, from a download page or you can use precompiled root certificate packages found from application-specific instructions in the bottom of this page.

Instructions on the values of the CSR

Value Example Mandatory Notes
(CN) Common name www.company.com /
*.company.com
Yes A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name.
(OU) Organizational unit IT Management No The use of this value is not recommended. If this value is used it defines the O value to a greater degree.
(O) Organization Oy Yritys Ab Yes The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database.
(L) Locality Helsinki Yes The official home municipality for the organization defined in O value. Not the location of the server!
(ST) State - Not used This value is not included in certificates issued by Telia Company.
(C) Country FI Yes The ISO3166 country code for the organization defined in O value. It has always two letters.
(E) Email webmaster@
company.com
No Email address can be included to display administrative contact details for the users of the service.

Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.

The composition of a registered address

A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.

APPLICATION-SPECIFIC INSTRUCTIONS

Apache
Microsoft IIS
Oracle Java
Tomcat