The “Organizational Unit” (OU) field of an X.509 certificate is intended to designate which division of an organization it was issued to. An organization can basically put whatever they want there and it’s nearly impossible for a CA to validate, which underscores the problem with the OU field as the only self-reported, unvalidated field in the certificate.
That’s a problem, because these certificates are publicly trusted and there is a risk the field could be misused to confuse or mislead internet users.
In the interest of mitigating this risk, the CA/Browser Forum voted in Ballot SC47v2 to deprecate the OU field in TLS certificates starting September 1, 2022. Here’s what you need to know about the upcoming changes.
When will GlobalSign deprecate the OU Field in TLS certificates?
GlobalSign will stop accepting certificate requests with the OU field in all TLS certificates effective July 25, 2022. As of this date, we will remove ability to enter this field during the ordering process and MSSL profiles will have their OU removed.
No action to update on your part is required as the field will be removed at time of issuance. Previously issued certificates with OU will continue to be valid until their expiration date.
Who does this affect?
This change pertains to the following GlobalSign products:
- Retail and reseller versions of TLS OV and TLS EV
- MSSL OV and EV
- CloudSSL (based on MSSL)
- IntranetSSL (based on MSSL)
- AEG Private Trust TLS certificates issued from our GCC platform (based on MSSL)
- NAESB OV TLS
While most enterprises do not use the OU field, some still do. If your organization has systems or software that do use the OU field, this change will affect you. If you need assistance with navigating these changes, please check out our support article or reach out to your GlobalSign rep for assistance.