In compliance with pending policy changes brought about by CA/Browser (CA/B) Forum ballot SC47v2, Sectigo will deprecate the population of the Organizational Unit (OU) field in Sectigo issued Certificates ahead of this deadline, starting July 1, 2022.
As concluded by the CA/B Forum, the “Organizational Unit” is a concept purely internal to a company, which therefore lacks credible, outside information sources for a Certificate Authority (CA) to use. As a result, the OU field cannot be authenticated and could contain almost any text that a customer or CA chose to include. Although existing guidelines prohibit the use of unauthenticated brands or domain names in OU fields, such a policy is extremely hard to police and is fundamentally nebulous and judgement-based. Removing the field eliminates this problem.
Customers who use the field are cautioned that any processes or systems that depend on the presence of or information in the OU field could be impacted.
Starting no later than April 1, 2022, Sectigo plans to offer a mechanism to temporarily turn off the OU field on a per-account basis. This optional feature will enable customers to conduct real-world tests to discover the impact of this change with the option to “roll back” and adjust their technology or processes prior to the hard deadline for eliminating the field.
This change primarily impacts public Extended Validation (EV) and Organizational Validation (OV) SSL / TLS Certificates, as well as both EV and standard Code Signing Certificates. Most enterprises, however, do not use the OU field, and accordingly, would not have built out processes that depend on this content. Such organizations should not be impacted by this change.
While the CA/B Forum is deprecating the OU field starting Sept. 1, 2022, Sectigo wants to ensure that no customers are adversely impacted by this change and is therefore communicating the change and advising customers to check their internal OU processes to ensure optimum functionality well in advance of the final deadline.