This page describes in detailed manner the steps needed when ordering and installing a Telia Company SSL Certificate into a server running Java applications.
TELIA ROOT CERTIFICATE AND JAVA
Telia's root certificate TeliaSonera Root CA v1 is automatically supported in Java versions from Java 7 build 181 and Java 8 build 171. If you use an older Java version, you must manually install Telia root certificate to cacerts
certificate store of Java.
In April 2021 root certificate Sonera Class 2 will expire and certification chains ending to that root certificate will cease to function. After this, only those versions of Java, which support TeliaSonera Root CA v1, will operate normally when installed with default certification support.
PHASES OF CERTIFICATE ORDERING AND INSTALLATION
PHASE 1 CREATION OF A CERTIFICATE STORE AND A CSR FILE USING
keytool command is found from directory
$JAVA_HOME/java/bin, if it is not present in system-wide path
- Create a new certificate store with this command:
keytool -genkey -alias yourdomain -keyalg RSA -keysize 2048 -keystore keystore.jks. "yourdomain" is the domain name that is being certified. If you are planning to purchase a wildcard certificate, make sure that there is no * character in the filename. Also note that when keytool prompts for first name and last name, these are not your name, but the domain name which is going to be protected
- Next generate the CSR file with following command:
keytool -certreq -alias yourdomain -keyalg RSA -file yourdomain.csr -keystore keystore.jks
- After you have finished creation of the CSR file, click Buy now on the left
PHASE 2 DOWNLOAD OF THE CERTIFICATES IN CERTIFICATION CHAIN
- Option 1 - Organization Validated (OV): After your SSL certificate has been delivered, you will find the necessary CA certificates TeliaSonera Root CA v1 and TeliaSonera Server CA v2 from certificate download page. If you used Secure Manager for certificate enrollment, download the certificates from this page. When using a modern Java, only TeliaSonera Server CA v2 is needed.
- Option2 - Domain Validated (DV): After your SSL certificate has been delivered, you will find the necessary CA certificates TeliaSonera Root CA v1 and Telia Domain Validation CA v2 from certificate download page. If you used Secure Manager for certificate enrollment, download the certificates from this page. When using a modern Java, only Telia Domain Validation CA v2 is needed.
PHASE 3 TRANSFER OF THE CERTIFICATES
- Please transfer all certificates to the Java server
PHASE 4 IMPORT CA CERTIFICATES INTO CACERTS CERTIFICATE STORE USING
- The default write password for cacerts is 'changeit'
- Import root certificate using command:
keytool -import -trustcacerts -file /path/to/ca/ts_root_ca.pem -alias TS_rootCAv1 -keystore keystore.jks
- Import intermediate certificate using command:
keytool -import -trustcacerts -file /path/to/ca/ts_server_ca.pem -alias TS_serverCAv2 -keystore keystore.jks
PHASE 5 IMPORT YOUR SSL CERTIFICATE INTO THE EXISTING CERTIFICATE STORE
- An SSL certificate requires an own certificate store. cacerts is only for CA certificates
- Import your SSL certificate using command:
keytool -import -alias yourdomain -file mydomain.crt -keystore keystore.jks. Note! The alias must be same as it was when the keystore for your SSL certificate was created