A CSR must not include Scandinavian or other special characters.
Administrative contact person
Please note when filling in an administrative contact person: ensure that the person in question has the ability to answer phone calls. If he/she cannot be reached, certificate delivery will be delayed.
The server name
Common Name or Subject Alternative Name is for example www.company.com or IP-address 18.104.22.168. CN/SAN must be the registered address of the server. In case of a wildcard certificate, CN contains an asterisk, a dot and a domain name owned by your organization (*.domain.com). There are two options for entering a name / names into a server certificate order:
- by creating a Certificate Signing Request with all CN- and SAN-values
- by creating a Certificate Signing Request with none or only one CN/SAN value and entering more values in Telia SSL certificate ordering service.
Forbidden names & IP addresses
The use of internal names has been deprecated. Thus a server name must be a Fully Qualified Domain Name and it must be found in the DNS service. The table below specifies the forbidden values:
|Forbidden CN/SAN value||Example|
|Unregistered top-level domain||.local|
|No domain present||EXCHANGESERVER1|
|Private IP address||10.x.x.x||169.254.x.x||172.16.x.x - 172.31.x.x||192.168.x.x|
A complete list of private addresses is found IETF documents RFC 1918 (IPv4) and RFC 4193 (IPv6)
Minimum private key length is 2048-bit.
Changes in certification hierarchy
The new certification hierarchy, which replaces old Sonera Class 2 CA root certificate, consists of multiple levels as required by CA/Browser Forum Baseline Requirements. During the transition period the root certificate will be Sonera Class 2 CA, followed by TeliaSonera Root CA v1 (intermediate) and server certificates are enrolled under TeliaSonera Server CA v2. TeliaSonera Root CA v1 will replace completely Sonera Class 2 CA by 2019 and the intermediate level will be removed from the trust chain. Until the migration is complete, we recommend installation of three-tier certification hierarchy to the servers.
The trust chain from a root certificate to a server certificate is shown in the table below:
|Certification hierarchy||Root level*||Intermediate level||Enrolling level||Server level|
|Used until 2018 (Still recommended for Java server)||Sonera Class 2 CA →||TeliaSonera Root CA v1 (intermediate) →||TeliaSonera Server CA v2 →||server.com|
|Current recommendation**||TeliaSonera Root CA v1 →||TeliaSonera Server CA v2 →||server.com|
* Installation of a root certificate is not necessary if server application can access the root certificate store of the operating system.
** This hierarchy may cause user security warnings if the users have very old devices or certificate is installed into a Java certificate store.
The necessary root certificates can be downloaded from the links on the table above, from a download page or you can use precompiled root certificate packages found from application-specific instructions in the bottom of this page.
|(CN) Common name||www.company.com /
|Yes||A Fully Qualified Domain Name of the server, or in case of a wildcard certificate an asterisk, a dot and a domain name.|
|(OU) Organizational unit||IT Management||No||The use of this value is not recommended. If this value is used it defines the O value to a greater degree. OU must not contain names or trademarks of other companies.|
|(O) Organization||Oy Yritys Ab||Yes||The official name of the ordering organization. This name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number) database.|
|(L) Locality||Helsinki||Yes||The official home municipality for the organization defined in O value. Not the location of the server!|
|(ST) State||-||Not used||This value is not included in certificates issued by Telia Company.|
|(C) Country||FI||Yes||The ISO3166 country code for the organization defined in O value. It has always two letters.|
|No||Email address can be included to display administrative contact details for the users of the service.|
Empty meta-values such as 'unknown', '-' and ' ' are not allowed as CSR values in any property.
If you use scandinavian or other non-ASCII characters in certificate data fields, please use UTF-8 character encoding. For example, in OpenSSL option
-utf8 has to be included when you create a CSR.
FullSSL customers have a limited set of localities which have been validated as official localities for this organization. If an L value contains other than UTF-8 characters, Secure Manager will display an error when CSR is interpreted.
The composition of a registered address
A certificate can be enrolled only for orders with full and registry-matching address details. A registered address is composed of CSR values O, L and C, plus fields Company address and Company post code in the order form. A P.O. Box cannot serve as a registered address, but it can be used as a billing address.
Authorization of use of your organization and domain names to another company
If you wish to delegate certificate enrollment and maintenance to another company, you need to fill in a special authorization form. The form is found from side menu of this page.
Location of data file in Domain Control Validation method
When DCV file validation method is used to confirm domain control, a data file must be placed at a certain location on your web server. An example file name: telia_validation_data_file_20180308
|Control address||An example of entire path|