SSL / HTTPS8 min read

Types of SSL Certificates: DV, OV, EV, Wildcard

SSL certificates come in several types that differ by validation level, coverage, and cost. Choosing the right type depends on your site's purpose and the assurance you need to give visitors.

Not all SSL certificates are created equal. While every certificate enables HTTPS encryption, they differ significantly in how thoroughly the issuing Certificate Authority verifies the applicant's identity, how many domains they cover, and what they cost. Choosing the right certificate type for your use case ensures visitors get the appropriate level of trust assurance without overpaying.

The Three Validation Levels

The most fundamental distinction between certificate types is the validation level — how much the Certificate Authority checks about the organisation requesting the certificate. There are three standard levels defined by the CA/Browser Forum baseline requirements.

Domain Validation (DV) Certificates

A Domain Validation (DV) certificate is the most basic type. The CA only verifies that the applicant has control over the domain name — nothing more. Validation is automated and typically takes minutes. The CA proves domain control by one of three methods:

  • DNS challenge — the applicant adds a specific TXT record to their DNS zone.
  • HTTP challenge — the applicant places a specific file at a known URL on the web server.
  • Email challenge — the CA sends a confirmation email to a standard administrative address for the domain.

DV certificates provide the same strength of encryption as OV or EV certificates. The difference is identity assurance: a DV certificate proves the server controls the domain, but says nothing about who or what organisation operates it.

Let's Encrypt Issues DV CertificatesLet's Encrypt is a free, automated, open CA that exclusively issues DV certificates. It has issued billions of certificates and now secures the majority of HTTPS sites on the internet. For blogs, portfolios, small businesses, and developer tools, a free Let's Encrypt DV certificate is entirely sufficient.

Organisation Validation (OV) Certificates

Organisation Validation (OV) certificates require the CA to verify not just domain control, but also the legal existence of the organisation applying for the certificate. The CA checks:

  • The organisation's legal name and registration documents.
  • The organisation's verified physical address.
  • A working phone number for the organisation.
  • That the person requesting the certificate is authorised to act on behalf of the organisation.

The verified organisation name appears in the certificate's Subject field, which technically-savvy users can inspect. OV certificates are appropriate for business websites, non-profit organisations, and government entities that want to provide additional identity assurance.

Extended Validation (EV) Certificates

Extended Validation (EV) certificates apply the most rigorous identity checks, governed by detailed EV Guidelines from the CA/Browser Forum. In addition to all OV checks, the CA must verify:

  • The organisation's legal jurisdiction of incorporation.
  • The organisation's operational existence (it has been in business for at least three years, or provides additional documentation).
  • The organisation's full legal name, physical address, and phone number through independent third-party sources.
  • That the organisation has exclusive rights to use the domain name.

Historically, browsers displayed the organisation's verified name in a green address bar for EV certificates. Major browsers (Chrome, Firefox, Safari) have removed this visual indicator, arguing it did not effectively prevent phishing. EV certificates remain used by banks, financial institutions, and major e-commerce sites as an additional layer of organisational credibility.

TypeValidationIssuance TimeTypical CostUse Case
DVDomain control onlyMinutesFree – ~$50/yrPersonal sites, blogs, APIs, startups
OVOrganisation verified1–3 days$50 – $300/yrBusiness sites, non-profits
EVExtended legal checks3–7 days$200 – $800/yrBanks, e-commerce, financial services
Wildcard DVDomain control onlyMinutesFree – $150/yrMultiple subdomains on one domain
Multi-domain SANDV / OV / EVVaries$100 – $600/yrMultiple distinct domain names

Wildcard Certificates

A wildcard certificate uses an asterisk (*) as the leftmost label in the domain name to cover an unlimited number of direct subdomains with a single certificate. For example, *.example.com covers:

  • www.example.com
  • mail.example.com
  • app.example.com
  • api.example.com

However, a wildcard does not cover the apex domain (example.com) or deeper subdomains (dev.app.example.com). Most wildcard certificates include the apex domain as a SAN entry to address the first limitation.

Wildcard Security ConsiderationsBecause a wildcard certificate covers all subdomains, a compromise of the certificate's private key exposes all of them simultaneously. For high-security environments, separate certificates per subdomain provide better isolation. Note also that Let's Encrypt issues wildcard certificates only via the DNS-01 challenge — the HTTP challenge cannot be used for wildcards.

Multi-Domain / SAN Certificates

Subject Alternative Name (SAN) certificates, also called multi-domain certificates, can cover multiple distinct domain names in a single certificate using the X.509 SAN extension. A single SAN certificate might cover:

  • example.com and www.example.com
  • example.net and example.co.uk
  • shop.example.com and blog.example.com

SAN certificates are useful for organisations managing multiple brand domains or consolidating certificates for easier management. Most commercial CAs allow 100 or more SANs per certificate.

bash
# Check what domains a certificate covers openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName # Obtain a wildcard certificate with Let's Encrypt (requires DNS-01 challenge) certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d "example.com"

Free Certificates vs. Paid Certificates

The key differences between free and paid certificates are validation level and support, not encryption strength:

  • Free (Let's Encrypt) — DV only, 90-day validity, automated renewal via ACME protocol, no warranty, community support. Sufficient for the vast majority of websites.
  • Paid DV — Longer validity (up to 1 year), commercial support, some include a financial warranty (rarely meaningful in practice).
  • Paid OV / EV — Verified organisation identity in the certificate, required for certain compliance frameworks, commercial SLA-backed support.
bash
# Install a free DV certificate for one or multiple domains certbot --nginx -d example.com -d www.example.com # Renew all certificates automatically certbot renew --dry-run # Check certificate type and issuer openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -issuer -subject

When to Upgrade Beyond DV

For most websites, a free DV certificate from Let's Encrypt is the right choice. Consider upgrading when:

  • Your site handles financial transactions and you want the organisational identity assurance of OV or EV.
  • Regulatory or compliance requirements (PCI DSS, some government frameworks) mandate OV or EV certificates.
  • You need a wildcard that must be managed manually (some corporate environments do not support the ACME automation needed for Let's Encrypt wildcards).
  • You require a certificate with a commercial warranty for contractual or insurance purposes.
Verify Any Certificate InstantlyUse the ShowDNS SSL Checker to inspect the certificate type, validation level, issuer, expiry date, and covered domains for any website in seconds.

Frequently Asked Questions

Is a free Let's Encrypt certificate as secure as a paid one?

Yes, for encryption strength. The cryptographic algorithms and key sizes used by Let's Encrypt are identical to those used by paid commercial CAs. The difference is validation level — Let's Encrypt only offers DV, which verifies domain control but not organisational identity. For the majority of websites, this is completely sufficient.

Can I use one wildcard certificate for all my subdomains?

A wildcard certificate covers one level of subdomains under a single domain. *.example.com covers app.example.com but not api.app.example.com. If you need to cover deeper subdomains, you need either additional certificates or a SAN certificate that explicitly lists each one.

How many domains can a SAN certificate cover?

The technical limit is 100 SANs per certificate, though some CAs allow more. Let's Encrypt allows up to 100 SANs per certificate. Each additional domain beyond the base price typically incurs additional cost from commercial CAs.

Do EV certificates still show a green bar in browsers?

No. Google Chrome removed the green extended validation indicator in 2019; Firefox and Safari followed. The motivation was research showing users did not understand or act on the indicator, and it did not prevent phishing effectively. The certificate still contains verified organisation information visible in the certificate details panel, but there is no prominent visual distinction in the address bar.

What is the maximum validity period for an SSL certificate?

As of September 2020, the CA/Browser Forum requires that publicly trusted SSL/TLS certificates be valid for no more than 398 days. Let's Encrypt certificates are valid for 90 days. The industry is moving toward even shorter lifetimes to improve security through faster key rotation.

Related Articles