Organizational Unit fields should be removed from SSL certificates

messi62

Since Netscape's introduction of SSL in 1994, digital certificates have grown along with the Web. Through trial and error, innovation, and tweaking, SSL certificates have continually evolved to meet the most stringent security requirements.

Reducing the SSL expiration date to one year and removing the green address bar from Extended Validation certificates are just a few of the recent changes the CA/Browser Forum has made to stay ahead of cyber threats and make digital encryption more predictable. In the world of certificate authorities, change is the only constant.

The Organizational Unit (OU) field isn’t something you’d immediately associate with SSL security, especially since it’s been part of the SSL ordering process since the beginning. But now the OU field’s time is coming to an end, and CAs will remove it by the end of August 2022. So what’s behind the removal of the seemingly benign field? To get the full picture, let’s look at what the OU field’s original purpose was.

Organizational Unit Fields - A Brief Overview
Every time you order an SSL certificate, you mobile app development service must generate a Certificate Signing Request (CSR) and fill in fields with your contact information as part of the verification process. The CSR includes information about your company, country of residence, and the domain name you want to secure. Among the fields you must fill in is the Organizational Unit field. You can enter almost anything here, which is what makes it vague and misleading.

The OU field was originally intended to act as a placeholder field where companies could place relevant data about the certificate and how it should be used. It is common practice to include reference data for billing purposes so that the finance department knows who purchased the certificate.



If you were to follow this example, you would write something like “IT” or “Security” in the OU field. But there’s nothing stopping you from entering anything, from country names to cartoon characters. If your company’s headquarters are in the U.S., but your certificates are managed by an international subsidiary, you might write something like “France” or “overseas.” This is where the OU file’s ambiguity can confuse users.

Let's say one of your company's customers is Delta Air Lines. If you included it in the OU field, some users would think the certificate belonged to Delta Air Lines, not your organization. While this example may seem extreme, the optional nature of the OU field makes it prone to confusion and misinterpretation—things that are unacceptable in today's cybersecurity landscape.

Potential security loopholes
SSL certificates are now a requirement for all types of websites. Companies use hundreds of certificates to meet their security needs, but not all follow best practices for SSL management. According to a report by Detectify Labs, using these certificates comes with risks that “may result in company data being exposed or compromised by malicious actors.”