CAs to Deprecate OU Info from Digital Certificates Starting July 1 – Hashed Out by The SSL Store™

The most informative cyber security blog on the internet!
There are changes coming down the pike that will make the task of ordering certificates easier a bit easier by eliminating confusion. Traditionally, the certificate ordering process has required requestors (i.e., you) to provide information for the organization unit (OU) field. However, starting Sept. 1, the CA/Browser Forum (CA/B Forum) has decided that this field is no longer necessary and that all publicly trusted certificate authorities (CAs) will no longer include this information in the certificates they issue.
However, some CAs are being proactive and are rolling out these changes ahead of time — starting as early as July 1. But why this change is occurring, and what does it mean for your business?
Let’s hash it out.
Here’s a quick overview of everything you need to know:
If that’s all you were looking for, feel free to move on your way. But if you’re one of our newer readers, or you’re new to the SSL/TLS industry as a whole, no worries. We’ve got you covered and will answer some other related questions that you may have…
When you complete a certificate signing request (CSR) as part of the certificate ordering process, there’s traditionally been a free-form field in which you’d enter metadata that you want to store in your certificate. In cPanel, for example, this field is labeled “Company Division” instead.
However, many users had no idea what information to input in this field because, frankly, the term is pretty nebulous. Does it mean your department? A website? A trademark? Something else entirely? Yeah, you see why it could be confusing.
Here’s an example of an OU field in the SSL/TLS certificate for Wells Fargo:
Do you know what the DCG-PSG stands for? We don’t, either (at least, not without turning to Google to see what turns up). And that’s kind of our point. The scope of the OU field’s intended usage is actually pretty limited, and it’s required to not be “misleading.” However, who would check that out and how would the information be verified? When this form is filled out incorrectly, it leads to a litany of issues that bog down validation times for companies ordering certificates. Which brings us to our next talking point…
The quick answer: Because the CA/B Forum told them to do so in their latest release of SSL/TLS Baseline Requirements (1.8.1). The concern was that this field could be intentionally or unintentionally misused and cause validation hang-ups and other issues.
The long answer: Basically, the CA/B Forum is the industry’s voting body of heavy hitters like Google, Apple, DigiCert and Sectigo. Last fall, the Forum’s members discussed via email the use of the OU field and whether it served as a benefit or a hindrance. While some companies used it correctly, the concern was that the field was often used incorrectly and that bad guys could misuse the OU field for bad purposes.
In December 2021, the group voted to deprecate the organizationalUnitName field entirely from certificates. This will take effect starting Sept. 1 (although CAs are implementing the change ahead of schedule on their sites.)
According to Section 7.1.4.2.2:
Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Deprecated. Prohibited if the subject:organizationName is absent or the certificate is issued on or after September 1, 2022. Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, pg. 80 subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.”
To quickly summarize, the idea behind removing the OU field is that it will:
Honestly, this change isn’t earth-shattering and isn’t going to affect the overwhelming majority of our readers.  This change will likely only affect you if you’ve been doing something custom (like using the OU field to keep track of which employee/department issued a certificate). But seeing as how we like to keep you apprised of changes within the CA/B Forum, we thought it pertinent to let you know about the change that’s occurring ahead of time.
Here’s a quick overview of what removing the OU field will entail for publicly trusted certificates:
Wondering what this means for private CA certificate users? A whole lot of nothing. Basically, this isn’t going to change a darned thing for 99.9% of users.
Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *





Captcha * .hide-if-no-js { display: none !important; }

document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
Casey Crane is a regular contributor to (and managing editor of) Hashed Out with 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.
Download Now
Download Now
The SSL Store™ | 146 2nd St. N. #201, St. Petersburg, FL 33701 US | 727.388.4240
Copyright © 2022 The SSL Store™. All Rights Reserved.

source

Leave a Comment