NicSRS
US - English

Blog > Sectigo to Deprecate OU Field from SSL Certificates Starting July 1

Sectigo to Deprecate OU Field from SSL Certificates Starting July 1

Tag:

Sectigo

SSL certificates

OU Field

2439:0

CasiileFebruary 17 2022

According to CA/Browser Forum’s latest guideline, all trusted SSL/TLS certificates issued by CA will no longer use OU Field from September 1. In order to comply with New Rule, starting July 1st 2022, Sectigo Certificates will deprecate OU Field.

What on Earth is OU Field?

When you apply for an SSL certificate, you need to submit the certificate signing request file, CSR. The OU field allows optional metadata to be stored in a certificate. The Organization Unit (OU) Field is intended to indicate a specific department of that organization.

(A screenshot of OU field included in NicSRS Generate CSR tool)

If your website has installed an SSL Certificate, you can click SSL Certificate details to view the OU Field, as shown in the following example:

(A screenshot of an OU field in the SSL certificate for globalsign)

Why is OU Field Removed?

The reason for this change is that the CA/B Forum was concerned that OU Field could be abused because it was a free-form field that lacked substantive validation requirements. It means that anyone can input information at will.

The OU Field is not authenticated and contains miscellaneous information: a name, DBA, trade name, trademark, address, location, or other text that refers to a specific natural person or legal entity. If the OU field is used incorrectly or is misused for bad purposes by cybercriminals, certificate verification may fail.

What Changes Exactly?

From July 1, Sectigo will deprecate the OU Field in public certificates. The changes will impact the new, renewed and reissued public certificates including Extended Validation (EV) and Organization Validation (OV) SSL certificates as well as EV and OV Code Signing certificates. These public certificates will no longer contain OU field information after the change takes effect.、Meanwhile, Sectigo plans to offer a temporary solution before April 1st to "turn off" OU Field on per-account to assess the impact of the change.

What is Benefits from Removing OU Field?

  •  Delete unnecessary OU field data
  •  Reduce OU field-related issues during validation process by eliminating the unauthenticated field
  •  Prevent company name, trademark, unit and other information from being abused by others

Which Certificates Will Be Affected?

Starting from September 1st, this new rule primarily impacts EV and OV SSL / TLS Certificates, as well as both EV and OV Code Signing Certificates.

Sectigo certificates will be implemented earlier from July 1 than CA/B deadline and then DigiCert CA announces their public certificates will stop using OU fields in August.

Note: The public certificates with a valid OU Field that are issued before the deadline will not be affected.

Does this Change Impact My Business?

In most cases, there is no impact.

For most enterprises, they do not use the OU field and do not rely on the content of OU field to build relevant technologies or business processes, so this change will not affect their business.
However, your certificates are using the OU field, and the enterprise may have built-in technical requirements based on the contents of OU fields or regard them as a useful part of the business process, for service initiation, deployment, and cost accounting. These enterprises may be affected by the mandatory removal of OU field from their SSL certificates.

Therefore, by April 1, Sectigo plans to offer a mechanism to temporarily turn off the OU Field on a per-account basis. This optional feature will enable customers to conduct real-world tests to discover the impact of this change with the option to “roll back” and adjust their technology or processes prior to the CA/B starting the New Rule.

Comments