Onion TLS/SSL certificate updates
EV certificates verify websites: they’re useful in any situation where web users need to know who they’re communicating with, but they’re especially useful for
onion sites, which use names that are a base32 representation of a public key like
swursuzpievjanml.onion – as a result, EV certificates are the only type used for onions. Even vanity prefixes can still be generated by anyone who desires that prefix, with a different set of trailing characters. So having something that ties a site to a company, charity, individual sole trader, or othr legal entity is useful.
We’ve made a few changes to how we handle certificates that include
.onion names recently, and they’re worth discussing here:
Wildcards allowed for onion certs throughout CertSimple
Unlike regular EV certs, where every domain has to be reviewed by a human, so wildcards aren’t permitted, onion EV certs allow wildcards. Previously customers had to email us about onion wildcards and we’d manually add them to the certificate, our ordering and certificaste management platform has now been updated to accept wildcards on any
No need to specify full pubkey for current gen onions
Older generation onion sites used SHA1 as a hashing scheme. SHA1 is now widely considered broken, so part of the mitigation was including a full copy of the pubkey inside the cert itself, preventing it being used for another site via a SHA1 collision. Customers using older generation sites had to email us the sites full pubkey seperately from applying for the cert.
No 2 year option for certs including onion sites
When any onion domains are detected for new EV certs, the UI will restrict the certificate lifetime to one year, as
.onion certificates have a max lifetime of one year.
That’s all for now
We’ll also be rolling out further onion changes soon. We’re always interested in feedback from the community or new ways we can improve the verification process so please let us know your thoughts.