Change in use of OU-fields in Sectigo certificates
19 December 2019
As of December 15, 2019, Sectigo will change the use of OU fields for all new Sectigo certificates. From this date, it is no longer permitted to include non-organization-related information in an OU field.
What is the OU-field?
OU stands for Organizational Unit, this is a field in the Subject information in an SSL certificate. The Subject part of a certificate contains information about the organization to which the certificate has been issued, in case of certificates with company data (organization and extensive validation). Next to an O field in which the organization name is specified, there is (among others) an OU field. This field is intended to indicate a specific department of that organization.
What changes exactly?
Until December 15, Sectigo used an (extra) OU field to enter additional, identifying information such as the type of certificate, for example 'PositiveSSL'. This was done in all types of certificates, including Domain Validation certificates that do not contain any Subject information. To better meet the industry standards, from 15 December the OU-field will only be filled with data that can be linked to the organization that is included as the subject in the certificate, such as the name of a department or a validated text such as "headquarters". Phrases that cannot be directly linked to the organization, such as 'powered by', 'issued through' and trademarks are no longer allowed.
What is the impact?
In most cases, there is no impact: certificates that have already been issued, are still valid and that have non-subject related information in the OU field remain valid for the duration of their validity and remain trusted. For some applications, the OU field is used as a checkable value or identifying attribute, such as apps that communicate with a server. In this case, adjustments will be required to the configuration.
For all new applications, and for renewals and reissues, the adjusted rules apply from 15 December 2019. This applies to both SSL certificates with and without company data.