DV certificates for Onion websites
UPDATE
Following the high demand for onion certificates, HARICA decided to extend the discount period till the end of August 2021.
Great news for Onion fans!
We are excited to announce that HARICA has started issuing Domain Validated (DV) certificates for v3 Onion websites.
HARICA is a Publicly Trusted Certification Authority (CA) that participates in all major Global “ROOT CA” Trust Programs (360, Adobe, Apple, Microsoft, Mozilla, Oracle), and operates as a “Trust Anchor” in widely used Application Software and Operating Systems (Adobe, Apple, Google, Microsoft, Mozilla, Linux).
Following this announcement, we offer a discount to all HARICA’s DV Certificates, which includes “onion”, “wildcard onion”, and other types of publicly trusted DV TLS Certificates, starting at 4.5€ per year till the end of June 2021 [EXTENDED to August 2021].
Get yours now at HARICA’s CertManager!
How to purchase your own DV certificate?
- Create a HARICA account at HARICA’s CertManager.
- Under the Certificates section on the left, choose Server Certificates and make a new request for your domain.
- You have the Option to auto-generate your TLS CSR locally or manually submit one you have already prepared. Both RSA and ECDSA keys are supported.
- To validate your Domain Name you have three (3) “general purpose” validation options:
- Select a pre-defined email address of your domain to receive a confirmation email.
- Upload a text file, provided by HARICA, to a specific location on your web server.
- For v3 Onion domains only this “general purpose” validation option is allowed. There is also a special option available which uses the Tor hidden service ed25519 key to generate a special “Onion CSR” to prove you control the v3 Onion domain namespace, which allows you to obtain a wildcard Onion certificate
*.<hidden service>.onion
. This is currently the only secure option allowed to obtain a wildcard Onion certificate and HARICA has built and publicly disclosed the necessary code to support this method!
- For v3 Onion domains only this “general purpose” validation option is allowed. There is also a special option available which uses the Tor hidden service ed25519 key to generate a special “Onion CSR” to prove you control the v3 Onion domain namespace, which allows you to obtain a wildcard Onion certificate
- Add a DNS TXT record, provided by HARICA, to the selected authorization domain.
- After the successful payment of your order, you can retrieve your certificate.
What is an “Onion Service”?
Onion services are anonymous network services that are accessed via the Tor Browser and the underlying Tor (a.k.a. “Onion”) network. Clients use Onion services via Onion domains that are only resolvable inside the Tor network. In contrast to conventional Internet services, Onion services are private and end-to-end encrypted, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. That is, you can offer a web server, SSH server, etc., without revealing the real IP address to its users.
Why would an Onion website need a TLS certificate?
There is a list of reasons as to why an Onion website would need a TLS certificate:
- Mixing HTTP and HTTPS creates complex setups for websites.
- To help the user verify that the Onion domain is indeed the site you are hosting (manual check at the certificate registration information).
- Some services work with protocols, frameworks, and other infrastructure that have HTTPS connection as a requirement.
- In case your web server and your Tor process are in different machines.