Baseline requirements and RFC 5280 violations

Industry standards prevent Certificate Authorities (CAs) from issuing a publicly trusted certificate if specific fields in the certificate (such as the common name) don't comply to the criteria specified for the field value as documented in the baseline requirements and RFC 5280.

64 Maximum Character Limit Violation

Industry standards prevent Certificate Authorities (CAs) from issuing a publicly trusted certificate if any of the values listed below exceed the 64 maximum character limit. Character count includes spaces.

  • Common Name

    The 64 maximum character limit doesn't apply to subject alternative name (SANs) values. SANs included in a certificate order may exceed 64 characters.

  • Organization

    For EV certificates, the assumed name is included in the organization character count. The character count for the organization name + the assumed name can't exceed the 64 maximum character limit. Character count includes spaces.

  • Organization Unit (OU)

    This is not a required value. However, if you include an organization unit in your certificate, it can't exceed the 64 maximum character limit. When you include multiple Organization Units (OUs) in a certificate, the 64 maximum character limit is applied to each OU value individually.

  • Street 1

  • Street 2

  • City

  • State

  • Postal Code

Organization Unit Value Violation

When you order a certificate, you aren't required to include an organization unit (OU). Adding one is completely optional (you can leave this field blank). However, if you include an OU, industry standards require Certificate Authorities (CAs) to validate that value before issuing your certificate (see baseline requirements).

Because the field is optional and the industry doesn't want junk information included in the certificate, baseline requirements prohibit this value from being or appearing to be "junk" data or indicators of non-applicability (na, ?, etc.). This requirement helps keep certificates smaller. By keeping certificates smaller, this ensures SSL/TLS remains accessible to a greater range of users and site operators.

The list below contains some of the characters that if entered by themselves in the organization unit field do not represent a valid OU value. For example, if you add a hyphen in the organization unit field, a CA can't validate the value. However, if you enter an organization name that includes a hyphen in it, such as Dev‐Ops, this hyphen does not prevent a CA from validating your organization unit value.

  • "‐" (Hyphen)

  • "  " (Space)

  • "." (Period)

  • "?" (Question mark)

  • "na" (Not applicable)

  • "NA" (Not applicable)

Use of Underscores Violation

For publicly trusted certificates, CAs can no longer allow the use of underscores ( _ ) in:

  • Subject Common Name

  • Subject Alternative Name (SAN)

As of October 1, 2018, CAs can only issue certificates for domains and subdomains using:

  • Lowercase letters a–z

  • Uppercase letters A–Z

  • Digits 0–9

  • Special characters: period (.) and hyphen (‐)

Important: Currently, you can include underscores in other certificate values, such as organization unit and organization names (if part of the legally registered name). However, the use of the underscore in these values is being reevaluated. Industry standards may change and require you to remove the underscores from those values too.

API Codes and Messages

The codes and messages in the table below are returned for an organization, a domain, an organization unit, or an order when one or more field values doesn't comply with industry standards (RFC 5280). See the Errors page in our online CertCentral Services API documentation.

Error Codes and Messages

Code

Message

rfc5280_common_name_invalid Domain name is either too long or contains invalid characters according to industry standards.
rfc5280_common_name_too_long Common name must be less than 64 characters in order to be compliant with industry standards.
rfc5280_org_unit_too_long Organization units must be less than 64 characters in order to be compliant with industry standards.
rfc5280_org_name_too_long Organization name total length (including Assumed Name for EV certificates) must be less than 64 characters in order to be compliant with industry standards.
rfc5280_address_field_too_long Address fields must be less than 64 characters in order to be compliant with industry standards.
rfc5280_org_unit_invalid The org unit field contains an invalid value according to industry standards.
rfc5280_org_invalid One or more fields on the organization contains invalid values according to industry standards.

Example JSON Response

{
    "errors": [
        {
            "code": "rfc5280_common_name_too_long",
            "message": "Common name must be less than 64 characters in order to be compliant with industry standards."
        }
    ]
}