Public certificates – Data entries that violate industry standards

Baseline requirements and RFC 5280 Violations

For publicly trusted certificates, industry standards (baseline requirements and RFC 5280) require data entries meet certain criteria. Violating these standards when ordering a certificate prevents a Certificate Authority (CA) from issuing the certificate.

Organization unit value violation

For publicly trusted certificates, the organization unit value is not a required value (field). According to baseline requirements, Certificate Authorities (CAs) are only required to validate the organization unit value, when a value is provided. If you leave this field blank (do not provide an organization unit value), CAs are instructed not to include the field in the certificate.

Baseline requirements also prohibit this value from being or appearing to be "junk" data or indicators of non-applicability (na, ?, etc.), which helps keep certificates smaller. By keeping certificates smaller, this ensures TLS remains accessible to a greater range of users and site operators.

The list below contains some of the characters that if entered by themselves in the organization unit field do not represent a valid organization unit value.

  • "-" (Hyphen)
  • " " (Space)
  • "." (Period)
  • "?" (Question mark)
  • "na" (Not applicable)
  • "NA" (Not applicable)

If you only put a hyphen in the organization unit field, a CA will be unable to validate the value. However, if you enter an organization name that includes a hyphen in it (for example, Dev-Ops), this hyphen does not prevent a CA from validating your organization unit value.

64-character maximum limit violation

For publicly trusted certificates, we cannot allow these values (data entries) to exceed the 64-maximum character limit, including spaces:

  • Common Name
    We cannot allow the common name value to exceed the 64-character limit. However, the subject alternative names (SANs) value does not have the same character length restrictions as the common name value. The SANs included in a certificate order (for example, in a Multi- Domain SSL Certificate order) can be greater than 64 characters.
  • Organization
    Does the organization include an assumed name? And, you are planning to validate that organization for extended validation (EV) certificates?
    Then, make sure the organization name + assumed name values do not exceed 64 characters, including spaces.
  • Street 1
  • Street 2
  • City
  • State
  • Postal Code

Use of underscores violation

For publicly trusted certificates, we can no longer allow use of underscores ( _ ) in:

  • Subject Common Name
  • Subject Alternative Name (SAN)

As of October 1, 2018, we can only issue certificates for domains and subdomains using:

  • Lowercase letters a–z
  • Uppercase letters A–Z
  • Digits 0–9
  • Special characters: period (.) and hyphen (‐)

Currently, you can include underscores in other certificate values, such as organization unit and organization names. However, the use of the underscore in these values is being reevaluated. Industry standards may change and require you to remove the underscores from those values too.

About

DigiCert is the world’s premier provider of high—assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs. Now, we’ve added Symantec’s experience and talent to our legacy of innovation to find a better way to lead the industry forward, and build greater trust in identity and digital interactions.

©2019 DigiCert, Inc. All rights reserved. DigiCert and its logo are registered trademarks of DigiCert, Inc. Symantec and Norton and their logos are trademarks used under license from Symantec Corporation. Other names may be trademarks of their respective owners.