FAQ: OU Field to Be Deprecated in Sectigo Issued Certificates Starting July 1st 2022

Due to New Rule, OU Field to Be Deprecated in Sectigo Issued Certificates Starting July 1st 2022

Why is Sectigo making this change?
The change has been prompted by a ballot passed by the CA/Browser (CA/B) Forum to deprecate the field and to prevent its use going forward. As concluded by the CA/B Forum, the “Organizational Unit” (OU) is a concept purely internal to a company, which therefore lacks any credible, outside information sources for a Certificate Authority (CA) to use.

Therefore, the OU field cannot be authenticated and could contain almost any text that a customer or CA chose to include. Although existing guidelines prohibit the use of unauthenticated brands or domain names in OU fields, such a policy is extremely hard to police and is fundamentally nebulous and judgement-based. Removing the field eliminates this problem.

What certificates does this apply to?
This change primarily impacts public Extended Validation (EV) and Organizational Validation (OV) SSL / TLS Certificates, as well as both EV and standard Code Signing Certificates.

How do I know if this change impacts my business?
Most enterprises do not use the OU field and likely would not have built processes that depend on this content. Such organizations should not be impacted by this change. A concerned customer should refer to their internal OU policy to check usage.

To assist with this transition, starting no later than April 1, 2022, Sectigo plans to offer a mechanism to temporarily “turn off” the OU field on a per-account basis. This optional feature will enable customers to conduct real-world tests to assess impact of this change with the option to “roll back” and adjust their technology or processes prior to the hard deadline for eliminating the field.

What happens to my existing certificates with an OU in ?
Issued certificates that contain an OU will remain valid until they expire. There is no requirement to revoke or replace these certificates.
However, if they are reissued after the deprecation date, they will no longer contain the same OU.

Why is this important?
Most Certificates do not contain OU information, and most enterprises do not have technical or process requirements depending on this field. For such use cases and enterprises, this change should have no impact.

However, a non-trivial minority of Certificates do use this OU field, and some enterprises may have built-in technical requirements based on the contents of the OU field or depend on it as a meaningful part of their business process for provisioning, deployment, and cost-center accounting. These enterprises may be affected by the mandatory removal of the OU field from all public SSL Certificates. Any such organization should be changing its systems and processes now to support the new requirement.

What are those critical dates again?

  • April 1st, 2022: Sectigo will offer a mechanism within SCM to allow customers to selectively turn off OU population for issued certificates.

  • July 1st, 2022: Sectigo will no longer issue certificates with OU field.

  • September 1st, 2022: CA/B Forum mandates that OU field be unused and deprecated for all newly issued Certificates. This change will not impact existing certificates.

For more information please see:
Blog Communication
OU field to be deprecated in Sectigo issued Certificates starting July 1st 2022