Deprecation of the OU-field in SSL/TLS certificates
The merits of the OU-field (Organizational Unit) have long been a hot topic of discussion. It has been the only information included in Organizational Validation (OV) and Extended Validation (EV) SSL certificates that is not objectively verifiable. Further, what constitutes a valid OU has been vague and arbitrarily defined by different Certificate Authorities (CAs). It has also been the only non-mandatory standard input field in Certificate Signing Requests. However, in the absence of widespread knowledge of this fact, many ended up simply using “IT” as a default.
From a website visitor’s point of view, knowing that a certificate was issued to a certain organization, in a certain country as validated by the CA creates trust and has tangible value. Meanwhile, it is hard to argue that knowing a certificate was issued to the IT Department (or whatever else may populate the field) of that certain organization provides any additional assurances.
As such, the decision to remove the field entirely from SSL certificates has gained wide support from both CAs and Browsers and in June of 2021, the final nail in the coffin of the OU-field was set as the decision to deprecate the field was made by CA/B Forum.
When?
The final deadline for removal of the OU-field is September 1st 2022. CAs have different road maps for deprecation so the exact date varies across CAs as well as across newly issued certificates, re-issues etc.
Many CAs take the initial steps in July. For our main CA partner, GlobalSign, the following is true:
- July 25th: New orders will no longer include OU
- August 29th: All certificates (including re-issues) will no longer include OU
What effects will it have?
It is important to note that previously issued TLS Certificates containing the OU-field will *not* be impacted by this change at all. They will remain trusted until expiration.
Unless your organization has built out processes that rely on this as a custom input field – it should not adversely affect you at all. To the contrary, this change will simplify the vetting process, and help us provide fully validated OV and EV certificates even faster than we do today.