Onion TLS/SSL certificate updates

Streamlining verification for Onion sites.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

Onion TLS/SSL certificate updates

EV certificates verify websites: they're useful in any situation where web users need to know who they're communicating with, but they're especially useful for onion sites, which use names that are a base32 representation of a public key like swursuzpievjanml.onion - as a result, EV certificates are the only type used for onions. Even vanity prefixes can still be generated by anyone who desires that prefix, with a different set of trailing characters. So having something that ties a site to a company, charity, individual sole trader, or othr legal entity is useful.

We've made a few changes to how we handle certificates that include .onion names recently, and they're worth discussing here:

Wildcards allowed for onion certs throughout CertSimple

Unlike regular EV certs, where every domain has to be reviewed by a human, so wildcards aren't permitted, onion EV certs allow wildcards. Previously customers had to email us about onion wildcards and we'd manually add them to the certificate, our ordering and certificaste management platform has now been updated to accept wildcards on any .onion site.

No need to specify full pubkey for current gen onions

Older generation onion sites used SHA1 as a hashing scheme. SHA1 is now widely considered broken, so part of the mitigation was including a full copy of the pubkey inside the cert itself, preventing it being used for another site via a SHA1 collision. Customers using older generation sites had to email us the sites full pubkey seperately from applying for the cert.

New generation onion sites like Ablative don't use SHA1, so the extra field isn't required. While we recommend current gen onion names, we still support previous gen onions if you needed.

No 2 year option for certs including onion sites

When any onion domains are detected for new EV certs, the UI will restrict the certificate lifetime to one year, as .onion certificates have a max lifetime of one year.

That's all for now

We'll also be rolling out further onion changes soon. We're always interested in feedback from the community or new ways we can improve the verification process so please let us know your thoughts.