Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-07-05 16:06:56.0

What are the special requirements for Organizational Units (OUs) to be compliant?

Article Number: 46342


What are the special requirements for Organizational Units (OUs) to be compliant?


The CAB Forum has released the Baseline Requirements and the public CAs issuing SSL certificates must become compliant. One of the Baseline Requirements is to verify the Organization Unit (OU). The requirement is as follow:

The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, trade name, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11.2 (Verification of Subject Identity Information).

In other words, the OU must be verified so that it does not mislead the end user to think that they are dealing with the wrong certificate holder. An example would be an organization using a name such PayPal for their OU may look like this: O=Secure Payments, Inc.; OU=PayPal. This may mislead an end user to think that they are dealing with PayPal.

Verification of an OU should be simple. The idea was that an OU would just be a department of the organization. OUs such as IT, Marketing, Human Resources, and R&D are acceptable and do not mislead the end user. The problem is that some certificate users define their OU by who the server is interfacing or with some undefined acronym that looks very similar to an acronym used by another company.

In order to simply OU verification, Entrust offers the following guidelines:

  • Prefix the OU with your organization name or recognized acronym
  • Use natural language names such as Human Resources or Sales
  • Use numerics
  • Only use trade style, trademarks or DBA that have been registered by the organization
  • Don’t use personal names
  • Don’t use uncommon acronyms


If a requested OU is ambiguous and may be conceived as misleading to an end user, then it cannot be verified per the requirements and will be rejected.

If there are any questions, please contact Entrust Certificate Services Support at Entrust SSL Support: https://www.entrust.net/customer_support/contact.cfm.


Affected Products:

  • Entrust Certificate Services Additional Organization Names Version Not Applicable Language Not Applicable Platform Not Applicable