Get a TLS certificate for your onion site

We are happy to share the news of another important milestone for .onion services! You can now get DV certificates for your v3 onion site using HARICA, a Root CA Operator founded by Academic Network (GUnet), a civil society nonprofit from Greece.

Last year we wrote a blog post about the challenges and opportunities for onion services:

The future of TLS support for onion services is very encouraging. In March of this year, the CA/Browser Forum approved an amendment to the domain validation (DV) TLS certificate baseline requirements which now allows certificate authorities (CAs) to issue certificates containing v3 .onion addresses. This means, in the not-too-distant-future, a CA like Let's Encrypt can issue a certificate for an onion service and Tor Browser will "just work." In addition, for onion services that do not want to rely on certificate authorities, we are exploring alternative designs like Same Origin Onion Certificate for inclusion in Tor Browser.

We are happy that the ‘not-too-distant-future’ was indeed quite close. We hope that more CAs do the same. 

Why would an .onion site need a TLS certificate? This is a great question. Especially because .onion services provide pretty much the same protections offered by an HTTPS connection regarding protecting the data in transit from man in the middle attacks and validating that the user is indeed connecting the server the domain in the browser bar is requesting. Onion services do the same thing, so why would an .onion site need a TLS certificate?

Our Community portal page about onion services give you a list of reasons why a service admin would need a TLS certificate as part of their implementation. Here are some of them:

  • Websites with complex setups and that are serving HTTP and HTTPS content
  • To help the user verify that the .onion address is indeed the site you are hosting (this would be a manual check done by the user looking at the cert registration information)
  • Some services work with protocols, frameworks, and other infrastructure that has HTTPS connection as a requirement
  • In case your web server and your tor process are in different machines

Previously, .onion site administrators who needed a TLS certificate had to either hack other solutions or spend a significant amount of money purchasing an EV certificate. Now with HARICA, acquiring a certificate has become more accessible, but we know that free certificates are ideal and are looking forward to that moment.

We are happy to see people acquiring certificates for their onions. Remember to do it for a v3 onion address since v2 will be deprecated very soon:

2. July 15th, 2021
0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

If you would like to give it a try, here is a great tutorial by Kushal from the Tor community.