Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20210819 - Depreciation and disappearance of OU fields

New restrictions have come into effect regarding SSL certificates OU (Organizational Unit) fields.

Why?

On June 30th, 2021 the CA/B Forum voted the ballot SC47V2 planning the OU field depreciation.

It is still possible to issue a certificate with a OU filed but the rules regarding its content are deterrent.

It can be done only if a Organization Name is present in the certificate excluding all domain validated certificates.

If a OU field is requested it cannot include: a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information.

As of September 1st 2022 it won't be possible anymore to issue a server certificate with a OU field at all.

For which products?

Domain Validated certificates

Since August 16, 2021 it is not possible to issue a DV certificate containing a OU field anymore.

Other server certificates

The OU field will be definitely banned from any certificate issued after September 1st, 2022.

The certification authorities

Each authority will have to accommodate the calendar but some of them have taken the lead.

DigiCert

As announced previously, DigiCert has deleted the OU field from its certificates in 2020. It affected all the authorities of the group including Thawte and Geotrust.

Sectigo

Certificates issued by Sectigo does not contain OU fields since August 1st 2021 anymore. It affects TBS X509 certificates as well.

GlobalSign

As of July 25th, 2022 most of GlobalSign OV and EV certificates will be be issued without an OU field. With the exception of the orders placed prior to this date and of the reissuances. The OU field disappearance will be complete on August 29.

What about currently valid certificates?

Nothing. They will keep working normally until their expiration date.

My CSR contain a OU field, what if I need to reissue my certificate?

Your CSR will be usable. The authority will simply ignore the OU field for the certificate issuance.

Useful linkds