Restrictions on data entries for public certificates
For publicly trusted certificates, industry standards — including the CA/Browser Forum Baseline Requirements and RFC 5280 — require certificate data entries to meet specific criteria. Entering values that violate these standards prevents DigiCert from issuing the certificate.
Organization unit value violations
Important
The Organizational Unit (OU) field has been deprecated for public TLS/SSL certificates. The OU field no longer appears on certificate order forms and is ignored in API requests. For more information, see DigiCert will deprecate the Organizational Unit field.
The organization unit (OU) field is not required for publicly trusted certificates. When a value is provided, DigiCert must validate it. Baseline requirements prohibit the OU value from being or appearing to be non-applicable placeholder data.
The following values entered alone in the OU field are not valid and will cause issuance to fail:
Value | Description |
|---|---|
- | Hyphen |
Space | |
. | Period |
? | Question mark |
na | Not applicable |
NA | Not applicable |
Notice
A hyphen entered alone in the OU field is invalid. However, an organization name that includes a hyphen — for example, Dev-Ops — is valid and can be validated.
64-character maximum limit violations
The following certificate values cannot exceed 64 characters including spaces:
Common name: the subject alternative names (SANs) value does not have the same 64-character restriction. SANs on a multi-domain certificate order can exceed 64 characters.
Organization: if the organization uses an assumed name and the certificate requires extended validation (EV), confirm that the combined organization name and assumed name do not exceed 64 characters including spaces.
Street 1
Street 2
City
State
Postal code
Use of underscores violations
Underscores are not permitted in subject common names or subject alternative names (SANs) for publicly trusted certificates. DigiCert only issues certificates for domains and subdomains using the following characters:
Lowercase letters a–z
Uppercase letters A–Z
Digits 0–9
Period (.) and hyphen (-)
Important
Underscores are currently permitted in other certificate values such as organization units and organization names. Industry standards are being re-evaluated and may require removal of underscores from these values in the future.
Use of double dashes violations
The CA/Browser Forum Ballot 202 prohibits CAs from issuing public TLS/SSL certificates with invalid internationalized domain names. Double dashes (--) in the third and fourth characters of a domain name are not permitted unless preceded by the letters xn (xn--example.com).
Domain | Allowed |
|---|---|
| No |
| No |
| Yes |
| Yes |
What's next
Configure certificate profiles to apply certificate profile settings that enforce data entry standards across your account