Advisory Notice - OU Text Field Guidelines For All Certificates
Effective December 15, 2019, Sectigo will discontinue the practice of populating SSL certificate OU fields with information which has not been supplied by the certificate Applicant and/or which is not directly and verifiably related to the certificate Subject.
This change will not impact the performance of these certificates in the web PKI (browsers and on websites), servers or intermediate devices, nor will it require remedial environmental changes.
We are sending you this notification as an advisory in case custom applications in your environment rely on specific patterns of subject information in certificates that they choose to trust, in which case you may need to adjust the requirements of those applications.
Again, this change to our certificate subject profile will not affect any of the standard uses of active certificates with browsers and on websites, servers or intermediate devices, or CDNs.
Guidance On Information In The OU Field
CAB Forum BR guidelines stipulate that the OU field must only contain text that is related to the organization, and the Sectigo Compliance Team has provided the following guidance as to what can and cannot be in the OU field:
1. Phases that are not directly related to the organization CANNOT be used. Such as; “Powered by”, “Hosted by”, or “Issued through” statements. For example; Hosted by Blue host, Powered by Cisco or issued through [Partner Name]
2. Trademarks/DBA not related and verified to the organization CANNOT be used.
3. Text that is an identity of another organization CANNOT be used. Such as; Paypal Payment Gateway, Microsoft 365 server, and Sectigo Validated
4. Text describing a department within the organization CAN be used. Such as: IT, Network, Marketing, Operations, or Finance.
5. Text relating to the organization and is verified during validation CAN be used. Such as; [Country] Branch Office or Corporate Headquarters