CA VALIDATION OF DOMAIN NAMES

Server certificate domain name validation has changed in 2018. Current validation methods are described below. User has to choose the preferred method by him/herself using “Request domains” in certificate portal or during single certificate order flow. After the actual validation there may be one hour delay before the domain is visible in Telia certificate portal.

DNS method
Customer or DNS operator must add a validation string to the TXT record of DNS service under the domain using normal DNS maintenance processes. Customer administrator can either copy the string directly from portal or send an email to DNS operator with instructions via. In case of a single order, the data must be sent via email to DNS maintenance. Telia Certificate service will regularly poll the TXT record. When the string is available in the DNS, the domain name will be authorized for use in Telia certificate portal in portal case. In single order case the domain will appear as validated to Telia delivery team and they will proceed with handling of the order. Please note:

  • It may take several hours before DNS gets updated
  • Do not place the string at your webserver
  • Choose this method if your device is not accessible from public Internet
  • DNS method cannot be used for validation of IP addresses

File method
Customer must add validation string as a file with a .txt file extension or no extension at all to a specific path in a web server which is set to serve the requested domain name. Customer administrator can either copy the string diretcly from portal or send an email to administrator of the server as an email. In case of a single order, the data must be sent via email to server maintenance. Telia Certificate service will regularly poll the website. When the file is available, the domain name will be authorized for use in Telia certificate portal in portal case. In single order case the domain will appear as validated to Telia delivery team and they will proceed with handling of the order.

Please note that your server must be running and accessible from public Internet when using file method.

Below are examples of Telia-provided validation file telia_validation_data_file_20180308:

Validation AddressAn example of path in file system
Linuxwww.yritys.fi/.well-known/pki-validation/telia_validation_data_file_20180308/var/www/html/.well-known/pki-validation/telia_validation_data_file_20180308
Windowswww.yritys.fi/.well-known/pki-validation/telia_validation_data_file_20180308C:\well-known\pki-validation\telia_validation_data_file_20180308
It is not possible to include a dot (.) in a path in Windows. When using IIS, you must add a virtual directory by clicking right mousebutton on the name of your server and by choosing Add virtual directory. Set as an alias .well-known and add to Physical path box a path called C:\well-known\pki-validation

Email method
Certificate applicant sends email via Telia Certificate service to the email addresses available at WHOIS service and/or standard email addresses 'admin@', 'administrator@', 'webmaster@', 'hostmaster@', or 'postmaster@' followed by the domain name in question. Any of the receivers will have to click on the link in the message and authorize the domain to the Applicant. After successful validation the domain name is available to applicant at Telia certificate portal or in case of a single order, handling proceeds to next step. Please check before using this method the availability of email boxes iand access to them for mentioned addresses.

Phone method
In this validation method Telia is allowed to use only contact phone numbers that are shown at the domain register. Customer has to check that WHOIS service (e.g. whois.net) includes correct contact phone number related to the domain and the person answering to this number has the authority to say "yes" when Telia calls to the number and asks if Applicant is authorized to use the domain in server certificates. After the call the domain appears as available in certificate portal or in case of a single order, handling proceeds to next step. Note! Domain registrars have removed all telephone numbers from .com,.org and .net domains because of GDPR. Thus this method is not available with those domains.




Suitability of the methods
Some methods are better suited for validation of single DNS names like webshop.company.com and some are better suited for validation of entire network domain like .company.com.

After validation of the entire domain it is possible to order certificates from Telia for all DNS names of the domain in question for a period of two without a need for further validations. Validation of entire domain is recommended, but it is not always possible due to missing WHOIS information or privacy policies of certain domain registries. In these cases file and DNS methods, which are independent of domain registry data, are the recommended methods.

The table below lists recommendations for the validation method use:

Validation MethodA single DNS nameEntire domainIP-address
DNSRecommendedRecommendedNot available
FileRecommendedNot recommendedRecommended
EmailNot recommendedRecommendedRecommended
TelephoneNot recommendedRecommendedRecommended