Telia offers certificate services in following countries:
| Sweden | Finland | Norway | Estonia | Lithuania | Denmark |
CERTIFICATE SERVICE CONTACT
NEWS
--
Information about changes and new features in global PKI in Telia Certificate Authority:
- TLS certificate validity time, domain validation reuse time and identity validation reuse will be gradually shortened in three phases.
- Telia CA TLS certificate billing is changing to “pay-per-use model”
- ClientAuth bit will be prohibited from TLS certificates
- Telia CA enrolls new issuing CAs for TLS certificates (both OV and DV)
- Telia CA’s new PKI hierarchy root CAs “v3” for all certificate use cases
- Telia CA ACME supports Account Renewal Information (ACME ARI)
- Telia CA Portal GUI is renewed
- New persistent domain control validation methods for DNS names and IP addresses
- Automate TLS certificate management with Telia CA
1. TLS certificate validity time, domain validation reuse time and identity validation reuse will be gradually shortened in three phases
The CA/Browser Forum Baseline Requirements for TLS certificates will be shortening the validity period of publicly trusted TLS certificates and their associated domain validations and company information.
The schedule for the shortening is as follows:
| Now | 03/2026 | 03/2027 | 03/2029 | |
| Certificate Validity | 398d | 200d (6m) | 100d (3m) | 47d (1m) |
| Domain validity | 398d | 200d (6m) | 100d (3m) | 10d |
| Organization validity | 825d | 398d | 398d | 398d |
Telia CA will effectively use few days shorter certificate validity and data reuse times to ensure timely renewals within the maximum validity times.
The change in certificate validity periods is very significant and affects all TLS certificate issuers in the world in the same way. The certificate community aims to increase Internet security with it. At the same time, everyone is encouraged to move towards automation (e.g. ACME).
Telia CA encourages to consider as an alternative option to transition to use Private PKI in cases where publicly trusted TLS certificates are not required. Private PKI certificates may have longer validity times and are not subject to Domain Control Validation or Subject Identity Validation, thus providing more flexibility but still providing the security for the TLS use cases.
Telia CA provides Managed / Private PKI service where customers may host their PKI securely at Telia’s audited infrastructure, but enjoy the added flexibility provided by Private PKI for internal TLS protection. In Private PKI case the Trust needs to be distributed in the internal infrastructure by the organization, but when distributed, it will work the same as publicly trusted TLS PKI through operating systems and/or Browsers.
In cases where publicly trusted TLS certificates are needed, Telia CA will be providing new domain control validation methods allowed by the CA/Browser forum to mitigate the impact caused by shortening certificate validity times. Further details are available below.
Impact due to the shortening of the Identity validation (O/L data) is minimal because of Telia CA’s automated processes. Telia updates O/L values on behalf of Customer.
2. Telia CA TLS certificate billing is changing to “pay-per-use model”
Telia ceases offering prepaid TLS certificates. New pay-per-use model is flexible and based on following principles:
- Unique dnsSAN names or dnsIPAddresses used in active TLS certificates will be calculated daily.
- Wildcard name, fully qualified domain name and IPAddress have daily cost that is close to the value of current annual_price/365
- Aggregated sum of active Unique SANs is used in Telia’s customer invoicing monthly.
- Customers are invoiced according to agreed intervals by Telia. Invoice reports will detail all Unique SANs for verification. Invoice itself has only sum of daily counts and partial info.
Pay-per-use model has many benefits compared to the prepaid model:
- Only unique SAN names are calculated. All SAN name copies are free of charge.
- Certificates may be changed at any time without any additional costs. Only used days are charged.
- At the end of month all daily SAN counts are aggregated to generate monthly bill that is then delivered to be paid using normal Telia billing
- By revoking a certificate effectively ends charging.
- When renewing previous certificate, the remaining days of the old certificate are not lost
e.g. If you create a wildcard certificate on the first day of a calendar year, then at the end of the year it has generated bills of 365 * daily price which is about the same price than traditional prepaid model was using. If you generate wildcard copy during the year it won’t have any effect on pricing.
3. ClientAuth bit will be prohibited from TLS certificates
Previously all TLS certificates included two Extended Key Usage (EKU) bits: serverAuth and clientAuth. The new TLS certificates under Telia v4 issuing CAs have only serverAuth bit. This means that same server certificate can’t be used any more for mutual TLS use. If mutual TLS is needed to authenticate, a separate client certificate must be configured for the server.
To help customers to request clientAuth certificate in the Certificate Manager Portal, Telia CA introduces new certificate type in the Server certificate menu (“ClientAuth”). ClientAuth certificate type supports mutual TLS use case for client authentication purposes but it is not valid server certificate. ClientAuth certificate will be valid for three years.
4. Telia CA enrolls new issuing CAs for TLS certificates (both OV and DV)
Telia will migrate to new issuing CA generation “v4”. This new generation is needed to fulfill latest requirements from CA/Browser Forum (multipurpose roots are no longer allowed, TLS certificates can’t include bit “clientAuth). The v4 generation is simultaneously available with current v3 generation at least until Spring 2026.
The new “v4” generation has two essential changes: 1) it will remove EKU bit “clientAuth” from the TLS certificate, 2) it will have new CA hierarchy. Customers must install new 3-tier CA hierarchy when new certificates are installed to servers. At first the new hierarchy is based on old root “Telia Root CA v2” but eventually (approximately 2028) when new Telia root is approved by all root programs the hierarchy root will be updated to be “Telia RSA/EC Root CA v3”.
5. Telia CA’s new root CAs “v3” for all certificate use cases
Telia will migrate to new root CA generation “v3”. This new generation is needed to fulfill latest requirements from CA/Browser Forum (multipurpose roots are no longer allowed). The “v3” root generation is simultaneously available with current root “v2” generation for several years. Finally (when forced by browsers) only root v3 generation will be available.
Note! Chrome/Google has published their new plans that will require CA hierarchies to be updated in 6-month intervals. =>CA Customers must adapt updating CA hierarchies related to all new certificates. ACME will manage this automatically. Also, Root CA cycle will be much shorter in the future.
6. Telia CA ACME supports Account Renewal Information (ACME ARI)
With ARI, ACME server (CA) may provide suggestions to ACME clients for proposed certificate renewal window. CA may need this option if new certificate vulnerabilities are found to renew certificate faster than originally configured by ACME client.
Customers are encouraged to use ACME clients that support ARI.
7. Telia CA Portal GUI is renewed
Telia is improving the Graphical User Interface (GUI) of Certificate Portal soon. Planned release date is 2025-12-15. Same functionality is still in Portal, but menu structure and visual appearance are enhanced.
8. New persistent domain control validation methods for DNS names and IP addresses
Telia will implement a new persistent domain and IP validation methods in Q1/2026. The new methods allow customers to configure authorization for Telia CA to use automated validations of domain control with persistent records in the domain name system (DNS). Authorization is configured by adding specific DNS TXT record to the domain. Authorization levels are controlled by domain owners and maybe set separately at different domain hierarchy levels to the domain only for specific entities (Company group, company, portal group, portal user, ACME user).
Persistent domain control validation methods will mitigate the challenge related to shortening validity of domain compared to using existing methods. Migrating to persistent methods consequently removes the need to update DNS records with CA provided random codes. Persistent authorization is valid until authorization is removed from the domain. Customer / domain owner has full control of how to authorize the domains, and domain and each CA must be authorized separately. Security of the new method is equivalent to other DNS based methods. Further details and information will be provided when the new methods are made available by Telia CA at Q1/2026.
9. Automate TLS certificate management with Telia CA
Telia CA’s Automated Certificate Management Environment (ACME) service may be used by Customer to automate certificate lifecycle management. In ACME customers have ACME client software that is configured to communicate with CA’s ACME server. All Telia Certificate Management Portal customers have ACME available to configure ACME credentials without additional requests or costs.
With proper ACME client configuration server certificate is automatically maintained without need to update certificate manually. Any ACME client supporting External Account Binding (EAB) may be used with Telia CA’s ACME. Some examples are Certbot, Lego and Win-ACME.
Main features of Telia’s ACME:
- Both DV and OV certificates are available
ACME can be used with pre-validated domains managed in Telia Certificate Management Portal. ACME credentials may be configured to use pre-validated domains, thus separate per request validation HTTP-01 or DNS-01 is not needed. - ACME will be enabled for the upcoming persistent domain validation methods.
- ACME validation methods DNS-01 and HTTP-01 are also available to be used.