September 2020
Digicert SSL Advisory: Retiring the OU field for public TLS certificates on August 31
The Organizational Unit (OU) field will no longer be allowed in public TLS certificates starting August 31 across Digicert platforms and APIs.
The OU field is an optional field used to enter metadata in a certificate. Typically, customers use this field to indicate a department, service, or location using a certificate, such as “Dev Ops Team” or “Fortinet Firewall 002.” However, this field has complex limitations and cannot contain trademarks. Digicert has observed a number of customers entering uncompliant information in the OU field.
Digicert is disabling this field for all platforms and customers starting August 31. This is a proactive measure and other CAs are taking similar steps.
- This will affect new, reissued, and renewed certificates.
- The OU field will be ignored and always issued blank.
Many customers use OUs without full understanding of its purpose or believe its required. Due to the strict validation requirements, it’s a common cause of validation delays. For those customers, this will remove an unintended validation speed bump.
IMPACT SUMMARY:
- On August 31 Digicert will turn off the Organizational Unit (OU) field for public TLS/SSL certificates for all customers. Other types of certificates are not affected.
- Existing certificates with OUs are not affected (do not require revocation or replacement).
For more information see Digicert Knowledge Base Article
2-year certificate availability ends
On September 1, all Certificate Authorities are required to stop issuing 2-year TLS/SSL certificates. The new industry-allowed maximum validity will be 1 year (398 days). DigiCert is limiting the maximum certificate validity to 397 days to account for differences in time zones.
This change applies to all publicly trusted TLS/SSL certificates. Any pending 2-year orders that have not been issued by August 27 will convert to a 2-year Multi-year Plan and the initial certificate will be issued with a validity of 397 days.
For more information see Digicert Knowledge Base Article