Onion TLS/SSL certificate updates

Streamlining verification for Onion sites.

By Mike on 26th Mar 2018

Onion TLS/SSL certificate updates

EV certificates verify websites: they're useful in any situation where web users need to know who they're communicating with, but they're especially useful for onion sites, which use names that are a base32 representation of a public key like swursuzpievjanml.onion - as a result, EV certificates are the only type used for onions. Even vanity prefixes can still be generated by anyone who desires that prefix, with a different set of trailing characters. So having something that ties a site to a company, charity, individual sole trader, or othr legal entity is useful.

We've made a few changes to how we handle certificates that include .onion names recently, and they're worth discussing here:

Wildcards allowed for onion certs throughout CertSimple

Unlike regular EV certs, where every domain has to be reviewed by a human, so wildcards aren't permitted, onion EV certs allow wildcards. Previously customers had to email us about onion wildcards and we'd manually add them to the certificate, our ordering and certificaste management platform has now been updated to accept wildcards on any .onion site.

No need to specify full pubkey for current gen onions

Older generation onion sites used SHA1 as a hashing scheme. SHA1 is now widely considered broken, so part of the mitigation was including a full copy of the pubkey inside the cert itself, preventing it being used for another site via a SHA1 collision. Customers using older generation sites had to email us the sites full pubkey seperately from applying for the cert.

New generation onion sites like Ablative don't use SHA1, so the extra field isn't required. While we recommend current gen onion names, we still support previous gen onions if you needed.

No 2 year option for certs including onion sites

When any onion domains are detected for new EV certs, the UI will restrict the certificate lifetime to one year, as .onion certificates have a max lifetime of one year.

That's all for now

We'll also be rolling out further onion changes soon. We're always interested in feedback from the community or new ways we can improve the verification process so please let us know your thoughts.

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!