Deprecation of Organization Unit(OU) from SSL certificate is the talk of the town these days.
When ordering an SSL certificate, the certificate authority requires a CSR (certificate signing request). In CSR, there is one field Organization Unit (OU). OU means a department, section, trademark.
However, the CA/Browser forum from September 1 decided to remove the OU field from the CSR. It is released in CA/Browser Forum Baseline Requirement 1.8.1. You can see the 7.1.4.2.2 section in the below image.
What is CSR?
A CSR (Certificate Signing Request) is initial information sent to the certificate authority, which contains a domain name, organization name, locality, state, country, email, and organization unit details. On this base, the certificate authority includes the details in a certificate.
Why the CA/Browser Forum deprecate the field?
The reason to remove the OU field is it can confuse anyone about its exact meaning. Some understand it as department, division, brand, or anything. Many SSL applicants had no clear idea of what exactly Organization Unit means. Why it should be included in the certificate signing request (CSR). Moreover, this feature lacked any verification while issuing a certificate. At some level, it caused misunderstanding among SSL applicants and slowed down the issuance process of a certificate. You can check the below image where the “Department” field is shown.
Certificate Authorities Started to Accept the Change
The CAB forum has ended this dilemma, and the public trusted certificate authority will not include the OU field in their certificates. However, many certificate authorities have started to adopt this change earlier. Sectigo will remove the OU field from July 1 on an individual account wise, while DigiCert will remove this feature in August.
If you are a private certificate issuer then, this amendment will not affect you as it is only applicable to public trusted certificate authorities.
The concern regarding the removal of the Organization Unit field is to save it from misuse by cyber culprits as well many SSL applicants misused it.
What Baseline Requirement Says?
The Baseline Requirement says below about the Organization Unit subject.
Certificate Field: subject:organizationalUnitName (OID: 2.5.4.11) Required/Optional: Deprecated. Prohibited if the subject:organizationName is absent or the certificate is issued on or after September 1, 2022. Contents: The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, subject:givenName, pg. 80 subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 3.2.2.1.
Benefits of Removing OU section
The main advantage of removing the OU section are as follows:
- Removal of unnecessary details
- It will make the validation process smooth and fast.
- It will remove confusion from customers’ mindset.
- It will stop misuse of company details, trademarks, tradenames.
Which Certificates will be affected with this change?
- Any new, renewed, or reissued certificate will no longer carry the ‘Organization Unit’ field.
- Pre issued a certificate before this announcement will not be impacted by this amendment.
Whether your organization will be Affected?
This change will not affect 99.9% of organizations as this field was unnecessary even in the validation process. However, if your company keeps a record of SSL certificate issuance as per the company’s division or employee wise, then it will affect your organization. This change will not affect mostly SSL certificate users.
SSL2BUY welcomes this change and hopes that this amendment will remove uncertainty from customers’ minds and make certificate issuance rapid and smooth.
