INSTRUCTIONS - TLS SERVER CERTIFICATE ORDERING FOR TELIA COMPANY GROUP MEMBER COMPANIES





TLS SERVER CERTIFICATES AT TELIA COMPANY




GENERAL



Telia Company Group member companies must use certificates issued by Telia CA when applicable. Using own certificates is cost-efficient.

This page provides instructions on special procedures and frequently occuring misunderstandings when ordering TLS server certificates for Telia Company Group devices.

The Telia Company TLS certificates are technically similar to all other TLS certificates from our competitors. They are trusted by all common browsers and operating systems. Details can be found from TLS FAQ pages. Telia Company TLS certificates are validated according to international WebTrust standard and CA/Browser Forum Baseline Requirements.


HOW TO OBTAIN CERTIFICATES



There are three ways of getting certificates to Telia IT environment use.

  1. The preferred way to obtain certificates for Telia devices, is now self-service portal with a TIGA IdM role for issuing certificates on behalf of Telia Company.

    An introduction to the portal and benefits using it:

    • The TIGA role for certificate management is named "Secure Manager Server certificate ordering for Telia".
    • Self-service requires two-factor authentication. Authentication will be based on SMS OTP authentication. You must set your mobile number as visible in Workday before ordering this role!
    • After your IdM role has been approved, you will be provided with login information to self-service portal
    • A complete self-service process from end to end
    • Easier for you and for Telia CA personnel
    • Certificates will be available instantly
    • Telia-owned domains will be pre-validated in the service with no need to validate ownership for individual orders
    • Shortened certificate validity period necessitates move to more automated systems for certificate management
    • No call-backs or chat verifications are needed for certificate delivery

  2. Another way of obtaining certificates is to use completely automated ACME service. Please contact cainfo, if your servers are ready to use ACME for certificate management. You are required to have knowledge to install and configure ACME client on your servers. Read more

  3. If methods one or two are not suitable for you, old way of using single order webshop is still available at telia.fi/ssl. Main change in new portal on single order service is the possibility to use all official names of Telia Group companies instead of only Telia Company and Telia Finland.



NEWS

  • As of September 21st, 2023, Telia CA has removed option from Telia employees to directly revoke certificates using portal. This was done to prevent anybody to revoke maliciously many certificates and thus cause major harm to Telia services. From now on Telia employees should order revocations using link Certificate Revocation Request (telia.com).
  • As of September 1st, 2022, client certificate authentication is no longer supported at Telia certificate portal. Only available authentication is as of now SMS OTP.
  • File validation cannot be used for wildcard (*) validations since December 2021.
  • Phone validation is no longer available for any of Telia footprint Top-Level Domains due to GDPR. Use phone method only for validating IP addresses.


CSR CREATION INSTRUCTION


  • CSR (Certificate Signing Request) is a mandatory file needed always in certificate first time creation. At ACME and certificate renewal in self-service portal CSR creation is not needed, in single-order service it is needed always.
  • Though CSR is a mandatory requirement for an order, it does not have to include all SAN entries and it does not have to be valid. Information can be amended on the certificate editing page and it is easy to add more SAN values via this page. The certificate editing page and changes made on that page override the entries decoded from CSR.

Required CSR values in Telia Group certificates

Show country table Hide table


Note! Ordering for Telia Lietuva AS / SIA "Telia Latvija" / Telia Danmark is not currently supported by Telia Certificate Service. Use Telia Company AB for these certificates.

Mandatory fields and their values in Telia Company AB requests (CSR) are:

CN = Registered FQDN of the server, e.g. "server.teliacompany.com"
O = Telia Company AB L = Solna C = SE

Mandatory values for Telia Sverige AB requests (CSR) are:
CN = Registered FQDN of the server, e.g. "server.telia.se"
O = Telia Sverige AB L = Solna C = SE


Mandatory values for Telia Finland Oyj requests (CSR) are:
CN = Registered FQDN of the server, e.g. "server.telia.fi"
O = Telia Finland Oyj L = Helsinki C = FI


Mandatory values for Telia Eesti AS requests (CSR) are:
CN = Registered FQDN of the server, e.g. "server.telia.ee"
O = Telia Eesti AS L = Tallinn C = EE


Mandatory values for Telia Finance AB requests (CSR) are:
CN = Registered FQDN of the server, e.g. "server.teliafinance.com"
O = Telia Finance AB L = Solna C = SE



Discarded fields in requests (CSR) are:

OU = Organizational Unit of the registered Company. This value is no more included in
Telia Company certificates.
ST = State or province or country of the registered Company. This value is no more included in
Telia Company certificates.
E = Email address of maintenance of the website. This value is no more included in
Telia Company certificates.


VALIDATION INSTRUCTIONS


Sometimes you may have to choose a validation method for a domain. Common Telia domains are already validated by earlier orders, but if domain is rarely used or totally new, a domain control validation has to be done in order to confirm domain control for Telia. All validations are valid for two years for now.

There are four methods of DCV available:

Show validation methods Hide validation methods
Method Use cases Description
email = No public access to server/Has standard or WHOIS addresses working for the domain Email validation is done by CA personnel with certificate portal. Portal is used to send an email to so-called standard or WHOIS addresses for this domain. Email cannot be send to any other than these addresses. Standard address are defined by RFC and they are like webmaster@ postmaster@ admin@ etc. WHOIS addresses are the addresses present in WHOIS service for the domain in question. In case of Telia, those TLDs, which are able to show WHOIS addresses to the public network (for example .com .net .fi), usually have address dns@telia.net listed. Please use this address if you have to do an email validation for a Telia domain if possible. TLDs .se and .ee are among those which do not show email addresses due to privacy legislation, so this is not recommended for these TLDs.
dns = No public access to server/There is someone who can make the DNS change DNS validation is done using DNS service. CA personnel will deliver a small string, which needs to be placed to DNS TXT record for the domain in question. Certificate portal will check the existence of the DNS record and domain is validated when matching DNS record is found. This is suitable for all domains, but this is slow due to slow updating of DNS records. Currently Telia DNS system does not support an API required by automated ACME DNS-challenge validation. Manual DNS validation is possible in ACME also and works with Telia domains.
file = Requires access to server from public network/Fast and simple File validation is done by placing a small file to server in question. CA personnel will deliver the file via email to the orderer. Certificate portal will check the existence of the file on the server and domain is validated when matching file is found. Since Telia Domain Validator runs on a 0 level network, file method will not work for level 1 2 3 or firewalled DDC etc internal networks.
phone = Requires up-to-date phone number in IP registry/No public access to the server/Not available for domains, recommended only for IP address certificates Telia CA personnel calls to the number present in IP registry records for the IP address. Person, who answers must have some knowledge of IP range and must be authorized to authorize use of the IP address for certificate issuing by Telia. This method does not work anymore with domains due to GDPR


INSTRUCTIONS SPECIFIC TO SINGLE ORDER CERTIFICATE ORDERING



Company registration details for Swedish Telia companies, Telia Company AB as an example:

The easy way to enter correct company information:

  1. Type "Telia Company AB" in field Company name
  2. Click "Fill". All other fields are automatically filled with correct information.
Identity Code 5561034249
Company name Telia Company AB
Company address Stjärntorget 1
Company postal code 16979
City Solna
Phone number (listed) +46850455000

Company registration details for Telia Finland Oyj:

  1. Type "Telia Finland Oyj" in field Company name
  2. Click "Fill". All other fields are automatically filled with correct information.
Identity Code 1475607-9
Company name Telia Finland Oyj
Company address Pasilan Asema-aukio 1
Company postal code 00520
City Helsinki
Phone number (listed) 020401

Contact persons in single certificate orders:

  • Please make sure contact person information is accurately same as the information of person in question in TCAD (Telia personnel directory) as Telia Company CA personnel will check this information and and administrative person will receive a call or a chat.
  • External users (e.g. consultants) cannot be administrative contact persons, only technical. If the technical person is an external, the administrative person will receive a call.
  • In order to ensure prompt delivery of a certificate, please use Telia Company personnel in both fields.
  • If you must use an external as tech person, make sure that admin person knows about certificate order. Ordering a certificate with an admin person not understanding what certificates are, may cause delays in delivery.


    GENERAL INSTRUCTIONS

    • Certificate types: Telia Certificate Service offers three certificate types for Telia organizations at self-service portal. Table below has descriptions of these types.
      Type Features Recommended
      OV (Telia Server CA v3) Default type and only one available from single-order Yes
      DV (Telia Domain Validation CA v3) Another publicly-trusted certificate type, works as OV, but does not identify site as a Telia site Not
      Local (Telia Group Server CA v1) Does not have public trust. Only for cases where a public certificate cannot be used or a long validity is needed Not
    • Customer domains: Do not use Telia Company-related organizations for creating certificates for customer-owned domains! If you need to get a certificate for a device with a customer owned-domain, please use single order service with customer company details. If you need to obtain large numbers of certificate for customers like Telia Inmics-Nebula and Ipeer webhotel services do, please contact cainfo@telia.fi. A pseudo organization is a solution for services, which need certificates for other than Telia devices and use customer domains.

    • Telia Company subsidiaries: Subsidiaries and country companies can use a) their own company names and head office locations or b) Telia Company AB details. Telia Finland Oyj must use their own name.

    • Invoicing information: Certificates are free for Telia Group country companies with Telia Company ownership more than 50%. Telia Group subsidiaries need invoicing information.

    • E-mail addresses of maintenance: please use if possible other than your personal email address, e.g. a team address, a mailing list or a service request address. This enhances possibilities for the expiration message to reach appropriate persons in cases of personnel changes. Note: E value in CSR is no longer used for anything and will not appear in the certificate. Only emails stored are the ones you give in the order form for maintenance/admin/tech or at self-service portal maintenance box.

    • Wide-coverage wildcard certificates: We do not recommend using very wide coverage wildcard certificates like *.teliacompany.com. Some Telia domains, like telia.fi have CAA records in place as a technical measure to prevent issuing of too wide wildcard certificates. Use instead multi-name certificates for each server, or if your service has an own subdomain, use a wildcard at subdomain level. Example: *.subdomain.teliacompany.com

    • Use of internal names: The use of internal DNS suffixes and private IP addresses with TLS has been deprecated completely by CA/Browser Forum. Telia CA will not issue publicly trusted certificates for private addresses and private DNS suffixes. So be sure that your domain name contains a fully qualified DNS suffix or a public IP address before ordering a certificate.

      Examples:

      • .teliacompany.net is qualified, but telia.local is not
      • IP addresses for example beginning with 10. or 192.168. are not valid for certificates containing IP addresses in their subject. But is is possible to order certificate with DNS name in their subject for these if they resolve in public DNS.
      • It is not possible to order server certificates to names without any suffix, eq. SEHAN12345WEB

    • Private certificates from Telia Certificate Service:
      • Telia Certificate Service has an unaudited private CA called Telia Group Root CA v1 for Telia Company internal use.
      • It is possible to get certificates without public trust in browsers using any name including unqualified domain names and private IP's.
      • Also longer than year validity times are possible.
      • Root and intermediate certificates of this CA are distributed to Telia workstations and thus this CA is trusted by default in company approved browser Edge at least.
      • Contact cainfo@telia.fi if you need these certificates. They are also available immediately via portal from certificate type menu using selection Telia Local certificate.

    Generic instructions on server certificate ordering are here.

    QUICK BUTTONS