Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

Onion TLS/SSL certificate updates

Streamlining verification for Onion sites.

January 24, 2020
Onion TLS/SSL certificate updates

Onion TLS/SSL certificate updates

EV certificates verify websites: they're useful in any situation where web users need to know who they're communicating with, but they're especially useful for onion sites, which use names that are a base32 representation of a public key like swursuzpievjanml.onion - as a result, EV certificates are the only type used for onions. Even vanity prefixes can still be generated by anyone who desires that prefix, with a different set of trailing characters. So having something that ties a site to a company, charity, individual sole trader, or othr legal entity is useful.

We've made a few changes to how we handle certificates that include .onion names recently, and they're worth discussing here:

Wildcards allowed for onion certs

Unlike regular EV certs, where every domain has to be reviewed by a human, so wildcards aren't permitted, onion EV certs allow wildcards. Modern certificate management platforms have been updated to accept wildcards on any .onion site.

No need to specify full pubkey for current gen onions

Older generation onion sites used SHA1 as a hashing scheme. SHA1 is now widely considered broken, so part of the mitigation was including a full copy of the pubkey inside the cert itself, preventing it being used for another site via a SHA1 collision. Customers using older generation sites had to email us the sites full pubkey seperately from applying for the cert.

New generation onion sites like Ablative don't use SHA1, so the extra field isn't required. While we recommend current gen onion names, we still support previous gen onions if you needed.

No 2 year option for certs including onion sites

When any onion domains are detected for new EV certs, the UI will restrict the certificate lifetime to one year, as .onion certificates have a max lifetime of one year.

That's all for now

These updates help streamline the process for obtaining EV certificates for onion sites. If you need an EV certificate for your onion site, contact us to learn more.

View All Blog Posts