What You Need to Know in a Nutshell<\/h2>\n\n\n\n
Here\u2019s a quick overview of everything you need to know:<\/p>\n\n\n\n
- The organizationalUnitName<\/em> (OU) field information will no longer be included in new, renewed and re-issued SSL\/TLS certificates. (This change only affects you if your company used the field for record keeping, differentiating services, or other such activities.)<\/li>
- Some certificate authorities have decided to roll out their certificate changes prior to the Sept. 1 deadline to avoid any issues:
- Sectigo will remove OU info from their certificates starting<\/strong> July 1<\/strong>. They\u2019ll offer a temporary option for deactivating the OU field<\/a> on an \u201caccount by account basis\u201d by April 1.<\/li><\/ul>
- DigiCert will remove the field from their certificates<\/a> in August<\/strong>. This will occur sometime before the end of the month (they weren\u2019t more specific than that in their information release.)<\/li><\/ul><\/li>
- The CA\/B Forum was concerned that the field could be misused because it\u2019s a free-form field that lacked substantive verification requirements. (I.e., anyone could enter virtually anything they wanted there.)<\/li>
- The OU field was causing issues by slowing down certificate validation.<\/li>
- This change doesn\u2019t affect private CA certificate users. (This OU field removal only impacts publicly trusted SSL\/TLS certificates.)<\/li><\/ul>\n\n\n\n
If that\u2019s all you were looking for, feel free to move on your way. But if you\u2019re one of our newer readers, or you\u2019re new to the SSL\/TLS industry as a whole, no worries. We\u2019ve got you covered and will answer some other related questions that you may have\u2026<\/p>\n\n\n\n
What the Heck Is the OU Field?<\/h2>\n\n\n\n
When you complete a certificate signing request (CSR) as part of the certificate ordering process, there\u2019s traditionally been a free-form field in which you\u2019d enter metadata that you want to store in your certificate. In cPanel, for example, this field is labeled \u201cCompany Division\u201d instead.<\/p>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/01\/ou-field-information-csr.png\")
A screenshot of the free form field that’s included in cPanel’s certificate signing request form.<\/figcaption><\/figure>\n\n\n\n However, many users had no idea what information to input in this field because, frankly, the term is pretty nebulous. Does it mean your department? A website? A trademark? Something else entirely? Yeah, you see why it could be confusing.<\/p>\n\n\n\n
Here\u2019s an example of an OU field in the SSL\/TLS certificate for Wells Fargo:<\/p>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/01\/wellsfargo-certificate-ou-field-example.png\")
A screenshot of the Wellsfargo.com SSL\/TLS certificate subject information (i.e., information about the company that the certificate was issued to).<\/figcaption><\/figure>\n\n\n\n Do you know what the DCG-PSG stands for? We don\u2019t, either (at least, not without turning to Google to see what turns up). And that\u2019s kind of our point. The scope of the OU field\u2019s intended usage is actually pretty limited, and it\u2019s required to not be \u201cmisleading.\u201d However, who would check that out and how would the information be verified? When this form is filled out incorrectly, it leads to a litany of issues that bog down validation times for companies ordering certificates. Which brings us to our next talking point\u2026<\/p>\n\n\n\n
Why Are CAs Removing the Organizational Unit Field Being Removed?<\/h2>\n\n\n\n
The quick answer: <\/strong>Because the CA\/B Forum told them to do so in their latest release of SSL\/TLS Baseline Requirements (1.8.1<\/a>). The concern was that this field could be intentionally or unintentionally misused and cause validation hang-ups and other issues.<\/p>\n\n\n\n
The long answer:<\/strong> Basically, the CA\/B Forum is the industry\u2019s voting body of heavy hitters like Google, Apple, DigiCert and Sectigo. Last fall, the Forum\u2019s members discussed via email the use of the OU field<\/a> and whether it served as a benefit or a hindrance. While some companies used it correctly, the concern was that the field was often used incorrectly and that bad guys could misuse the OU field<\/a> for bad purposes.<\/p>\n\n\n\n
In December 2021, the group voted to deprecate the organizationalUnitName<\/em> field entirely from certificates. This will take effect starting Sept. 1 (although CAs are implementing the change ahead of schedule on their sites.)<\/p>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/01\/cabforum-ou-field-removal.png\")
Source: CA\/B Forum Baseline Requirements 1.8.1 (page 17).<\/figcaption><\/figure>\n\n\n\n According to Section 7.1.4.2.2:<\/p>\n\n\n\n
\u201cCertificate Field:<\/strong> subject:organizationalUnitName (OID: 2.5.4.11) Required\/Optional: Deprecated. Prohibited<\/strong> if the subject:organizationName is absent or the certificate is issued on or after September 1, 2022.<\/em> Contents:<\/strong> The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, pg. 80 subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.\u201d<\/em><\/p><\/blockquote>\n\n\n\n
To quickly summarize, the idea behind removing the OU field is that it will:<\/p>\n\n\n\n
- Eliminate an unnecessary piece of data.<\/li>
- Mitigate OU-related hiccups in the validation process by eliminating the highly specific field.<\/li>
- Prevent inaccurate attributions or intentional misuses of company names, trademarks, tradenames, addresses, or other information.<\/li><\/ul>\n\n\n<\/span><\/span>\n\n\n\n
How Will Removing the OU Field Affect My Organization?<\/h2>\n\n\n\n
Honestly, this change isn\u2019t earth-shattering and isn\u2019t going to affect the overwhelming majority of our readers. This change will likely only affect you if you\u2019ve been doing something custom (like using the OU field to keep track of which employee\/department issued a certificate). But seeing as how we like to keep you apprised of changes within the CA\/B Forum, we thought it pertinent to let you know about the change that\u2019s occurring ahead of time.<\/p>\n\n\n\n
Here\u2019s a quick overview of what removing the OU field will entail for publicly trusted certificates:<\/p>\n\n\n\n
- The OU field will be removed from all certificate authorities\u2019 certificate order forms.<\/li>
- All new or re-issued publicly trusted SSL\/TLS certificates will no longer contain OU information.<\/li>
- Pre-existing SSL\/TLS certificates (i.e., those that were ordered prior to the field\u2019s removal) won\u2019t be affected.<\/li><\/ul>\n\n\n\n
Wondering what this means for private CA certificate users? A whole lot of nothing. Basically, this isn\u2019t going to change a darned thing for 99.9% of users.<\/p>\n","protected":false},"excerpt":{"rendered":"
The CA\/B Forum has decided that CAs no longer need to include organizational unit (OU) information when issuing publicly trusted SSL\/TLS digital certificates. Let\u2019s quickly explore what this means for…<\/p>\n","protected":false},"author":17,"featured_media":15326,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[235,467],"class_list":["post-15321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-cab-forum","tag-ssltls","post-with-tags"],"views":10731,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/01\/ou-field-deprecation-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=15321"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/15326"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=15321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=15321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=15321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- DigiCert will remove the field from their certificates<\/a> in August<\/strong>. This will occur sometime before the end of the month (they weren\u2019t more specific than that in their information release.)<\/li><\/ul><\/li>
- Some certificate authorities have decided to roll out their certificate changes prior to the Sept. 1 deadline to avoid any issues: