New OU validation process
As a CA, DigiCert is required to validate the OU value in Public TLS certificates before we issue them. From the CA/B Forum Baseline Requirements documentation:
“The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11. This field MUST NOT contain only metadata such as ‘.’, ‘-‘, and ‘ ‘ (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable.”
Note : The OU field is an optional field. It is not required to include an organization unit in a certificate request.
If your CSR contains an OU value that has never been validated by our authentication team, your request will stay in a pending queue until it is approved.
When our validation team approves an OU value, it is added to a whitelist. Future requests with a whitelisted OU value are not held for review.
What should you do when OU validation fails?
Our validation team proactively reviews and approves pending OU values.
How quickly does DigiCert check the pending OU values?
DigiCert promptly checks pending OU values to avoid delaying certificate issuance.
How are you notified when OU validation fails?
You can download the certificate and check if the OU value is included in the cert profile.
Is the OU whitelist matching case sensitive?
No, it’s not case sensitive. For example, when “IT Department” OU is approved and added to the whitelist, you can get a certificate with “it department” as the OU instantly.
When your CSR contains an OU that was already rejected, what will it happen?
Your request is approved instantly, but the certificate doesn’t contain an OU value.
Can you pre-check the OU value in a CSR if it is already approved or rejected?
No, you can’t.