SSL Certificate Types at a Glance
| Type | Validation Level | Issuance Time | Typical Cost/yr | Best For |
|---|---|---|---|---|
| DV (Domain Validated) | Domain control only | Minutes, automated | Free–$15 | Blogs, internal tools, staging, most sites |
| OV (Organization Validated) | Domain + verified business identity | 1–3 business days | $60–150 | Commercial/public-facing business sites |
| EV (Extended Validation) | Domain + rigorous legal/operational vetting | 3–5+ business days | $150–300+ | Banking, regulated industries, procurement requirements |
| Wildcard | DV or OV only — never EV | Same as base level | $70–200 | One domain + unlimited first-level subdomains |
| Multi-Domain (SAN) | DV, OV, or EV | Same as base level | $100–300+ | Several distinct domains under one certificate |
Validation level and coverage type are chosen independently — for example, a DV wildcard and an OV wildcard both exist, but an EV wildcard does not, because the CA/Browser Forum's EV Guidelines prohibit wildcard characters outright.
The cost spread across these tiers reflects labor, not cryptography. A DV certificate costs little or nothing because the entire process — proving domain control, issuing the cert, signing it — runs through an automated challenge-response with no human review. OV and EV certificates cost more because a CA employee has to manually cross-reference business registries, verify addresses, and in EV's case, call the company to confirm the requester's employment and authority to act on the organization's behalf. You're paying for that labor, once, at issuance — not for a stronger handshake.
What Is a Domain Validated (DV) Certificate?
A DV certificate proves only that whoever requested it controls the domain being secured — nothing about the business behind it. Per the CA/Browser Forum Baseline Requirements, the certificate authority confirms control through an automated challenge: an HTTP file placed at a specific path, a DNS TXT record, or a reply to an address like admin@example.com. Let's Encrypt and other ACME-based CAs (protocol defined in RFC 8555) issue DV certificates exclusively, because they can't automate the human verification steps OV and EV require.
DV certificates use the same encryption strength as OV and EV — a minimum of RSA 2048-bit or ECDSA P-256, per Baseline Requirements — and are the correct choice for most websites, including anything that doesn't need to prove a legal business identity to visitors.
Because domain-control challenges are entirely machine-verifiable, DV is also the only validation level that scales to thousands of certificates without adding headcount. A hosting provider issuing a unique certificate per customer subdomain, or a platform auto-provisioning TLS for every new tenant, relies on DV for exactly this reason — there's no manual review step to bottleneck the pipeline.
What Is an Organization Validated (OV) Certificate?
OV adds a verified business-identity layer on top of domain control. The CA checks the organization's legal name and physical address against government business registries or a Qualified Independent Information Source (QIIS), and embeds that data in the certificate's Subject field as O= (organization), L= (locality), and C= (country). Issuance takes 1–3 business days because a human reviewer, not an automated challenge, confirms the paperwork.
OV is the standard choice for a commercial website that wants a verifiable organizational record attached to its certificate — useful for procurement checklists, B2B trust, and compliance frameworks that specifically require organization-vetted certificates, even though it produces no distinct visual signal in the browser UI.
Because OV re-verification still requires a human reviewer at renewal time, it doesn't automate as cleanly as DV through ACME. Some CAs offer limited validation-data reuse to shorten repeat verification, but the initial manual check can't be skipped entirely — a constraint that matters more as the industry-wide maximum certificate lifetime keeps shrinking (covered below).
What Is an Extended Validation (EV) Certificate?
EV is the strictest tier. Per the CA/Browser Forum EV Guidelines, issuing an EV certificate requires confirming legal existence, physical business presence, operational status, domain control, and signer authorization — often via a Verified Legal Opinion letter or direct government-registry lookup, plus an anti-phishing blacklist check on the organization and domain. That's why EV issuance commonly takes 3–5+ business days.
Historically, EV certificates triggered a green address bar showing the organization's name — the reason EV commanded a price premium. That UI is gone: Chrome removed the green coloring in version 69 (September 2018) and dropped the organization name from the address bar entirely in version 77 (September 2019); Firefox and other major browsers matched the change the same year. The verified organization data still exists — it's visible by clicking the padlock icon — but there's no longer a passive visual cue distinguishing EV from DV or OV at a glance. EV still has legitimate uses in regulated industries and vendor-compliance contexts that specifically mandate it, but "customers will notice the green bar" is no longer a valid reason to buy one.
What's the Difference Between a Wildcard and a Multi-Domain Certificate?
Wildcard and multi-domain (SAN) certificates solve different coverage problems and are frequently confused.
A wildcard certificate (*.example.com) secures the base domain plus every first-level subdomain — www.example.com, mail.example.com, blog.example.com — under one certificate. It does not cover the bare apex domain (example.com) automatically; most CAs bundle a SAN entry for the apex by default, but this isn't guaranteed by every issuer, so check before deploying. It also does not match a second-level subdomain like a.b.example.com — the wildcard only matches one label deep.
A multi-domain (SAN) certificate, sometimes called a Unified Communications Certificate (UCC), lists entirely separate domains — example.com, example.net, example.org — as Subject Alternative Names on a single certificate. It's built for organizations managing several distinct properties without issuing and rotating a separate certificate for each one.
Both coverage types can be layered with DV or OV validation. Neither can be issued as EV: the CA/Browser Forum EV Guidelines explicitly forbid wildcard characters in Extended Validation certificates, and while EV certificates can technically carry multiple SAN entries, each additional domain requires its own full legal-vetting pass, which most CAs don't offer as a standard product.
DV vs OV vs EV: Key Differences That Actually Matter
The encryption is identical across all three levels — TLS handshake strength, cipher suite support, and minimum key size don't change based on validation tier. What actually differs:
- What's verified. DV confirms domain control. OV adds legal business identity. EV adds physical presence, operational history, and signer authorization.
- Issuance speed. DV is minutes and fully automatable via ACME. OV and EV require a human reviewer and take days.
- Where the data surfaces. DV shows only a
CN=(common name) in the certificate subject. OV and EV addO=,L=, andC=fields — visible in certificate details, not in passive browser chrome. - Automation compatibility. DV fits into CI/CD and auto-renewal pipelines cleanly. OV and EV re-verification steps resist full automation, which matters more as maximum validity periods shrink (see below).
Which SSL Certificate Type Should You Choose?
- DV — personal sites, blogs, internal tools, staging environments, and the large majority of commercial sites that don't have a specific compliance requirement for organization-vetted certificates. If you're deploying through a CI/CD pipeline or an ACME client like Certbot, DV is also the only tier that fits cleanly into fully automated issuance and renewal.
- OV — public-facing business sites where a verifiable organizational record matters for B2B trust or procurement, without needing EV's full legal-vetting depth. Common for SaaS vendors, agencies, and mid-size businesses that get asked "is your certificate organization-validated?" during a client security review.
- EV — regulated industries (banking, healthcare, insurance) or vendor/compliance frameworks that explicitly mandate Extended Validation, regardless of the missing browser UI signal. Choose EV when a specific contract, auditor, or regulator requires it by name — not as a default upgrade from OV.
- Wildcard — one domain with many first-level subdomains under common management (e.g., a SaaS product issuing per-customer subdomains, or an internal platform spinning up
*.staging.example.comenvironments on demand). - Multi-Domain (SAN) — an organization operating several distinct domains, such as regional TLDs or rebrand variants, that should renew and rotate together instead of being managed as separate certificate lifecycles.
Run the SSL Checker against your current certificate to see its validation level, issuer, and expiry before deciding whether to change type.
How Do You Check Which Certificate Type a Site Is Using?
The certificate's Subject field tells you the validation level directly — presence of an O= field means OV or EV; its absence means DV.
# Pull the certificate and print subject, issuer, and validity dates
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
subject=C=US, O=Example Corp, L=San Francisco, ST=California, CN=example.com
issuer=C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
notBefore=Jan 10 00:00:00 2026 GMT
notAfter=Jul 29 23:59:59 2026 GMT
A subject= line with only CN=example.com and no O= field means DV. To confirm which specific domains and subdomains a certificate covers, list its SAN entries:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -ext subjectAltName
If you'd rather not use a terminal, the SSL Checker surfaces the same subject, issuer, validity window, and SAN list in one lookup. To confirm the organization details on an OV or EV certificate actually match the registered business, cross-reference them with a WHOIS Lookup on the domain.
Why Certificate Type Choice Matters More in 2026
The CA/Browser Forum's Ballot SC-081v3 is phasing maximum public TLS certificate validity down on a fixed schedule, and it applies equally to DV, OV, and EV:
| Effective Date | Max Certificate Validity | Max Domain-Validation Reuse |
|---|---|---|
| Before Mar 15, 2026 | 398 days | 398 days |
| Mar 15, 2026 (current) | 200 days | 200 days |
| Mar 15, 2027 | 100 days | 100 days |
| Mar 15, 2029 | 47 days | 10 days |
As of this writing, the maximum is already 200 days — down from the 398-day ceiling most existing guides still quote. This is where validation level starts to matter for operational reasons beyond trust signaling: DV renewal is fully automatable through ACME, so a 47-day cycle in 2029 is a non-event if you're already using Certbot or another ACME client. OV and EV renewal still involves a manual re-verification step at each CA, and that overhead only gets more disruptive as the renewal window shrinks. If you're choosing OV or EV for a new deployment, plan for a certificate-management workflow that can absorb re-validation on a much tighter cadence than the old one-year renewal calendar.
Stop tracking expiry manually. DNSnexus Monitor watches your SSL certificate expiry, DNS records, and email auth, and alerts you before a certificate lapses — increasingly important now that maximum validity is measured in months, not years. Free tier covers one domain.
Common Mistakes When Choosing an SSL Certificate
Assuming EV still shows a visible browser difference. It doesn't, as of Chrome 77 and Firefox's 2019 update. Don't budget for EV expecting a customer-facing trust signal — the verified data is there, but it's a click away, not a color.
Trying to order an EV wildcard. The CA/Browser Forum's EV Guidelines prohibit wildcard characters in Extended Validation certificates outright. If you need EV-level identity vetting across subdomains, you must list each one explicitly as a SAN — or drop to OV, which does support wildcards.
Assuming a wildcard covers the apex domain automatically. *.example.com does not include example.com by definition. Most CAs add the apex as a SAN by default, but confirm it with your issuer rather than assuming.
Planning renewals on a one-year calendar. With the Baseline Requirements cap now at 200 days (dropping to 100 in 2027, 47 in 2029), a certificate issued today won't survive a calendar-year renewal cycle. Automate DV renewal now; build a faster manual process for OV/EV before the 2027 cutover.
Paying for EV expecting a conversion-rate lift. Vendors sold EV for years on the promise that the green address bar increased customer trust and checkout completion. That UI signal has been gone from every major browser since 2019, so any conversion argument for EV today has to rest on the verified organizational record itself — useful for B2B and compliance contexts, not a consumer-facing trust badge.
Key Takeaways
- ✓ DV, OV, and EV differ in identity verification depth, not encryption strength — all meet the same Baseline Requirements minimum key sizes.
- ✓ EV certificates cannot be issued as wildcards; the CA/Browser Forum EV Guidelines forbid wildcard characters.
- ✓ Chrome and Firefox removed the EV green-bar/org-name UI in 2018–2019 — verified identity data now requires clicking the padlock.
- ✓ As of March 15, 2026, the maximum public TLS certificate validity is 200 days per CA/Browser Forum Ballot SC-081v3, dropping to 100 days in 2027 and 47 in 2029.
- ✓ A wildcard covers first-level subdomains only — not the apex domain by default, and not deeper subdomain levels.
Frequently Asked Questions
Q: Is a more expensive SSL certificate more secure?
No. Encryption strength — key size, cipher suite — is identical across DV, OV, and EV under CA/Browser Forum Baseline Requirements. The price pays for identity verification work, not stronger cryptography.
Q: Can I get an EV wildcard certificate?
No. The CA/Browser Forum's EV Guidelines explicitly prohibit wildcard characters in Extended Validation certificates — every subdomain must be listed individually as a SAN entry instead.
Q: Does Chrome still show a green bar for EV certificates?
No. Chrome removed the green coloring in version 69 (September 2018) and dropped the organization name from the address bar in version 77 (September 2019); Firefox followed the same year.
Q: Does a wildcard certificate cover the root domain too?
Not automatically. *.example.com secures first-level subdomains only; example.com itself needs a separate SAN entry, which most CAs add by default but not all — verify before deploying.
Q: Can Let's Encrypt issue OV or EV certificates?
No. Let's Encrypt issues DV certificates only, since OV and EV require manual human verification steps that can't be fully automated through the ACME protocol it uses.
Q: How long is an SSL certificate valid in 2026?
A maximum of 200 days for any publicly trusted certificate issued after March 15, 2026, per CA/Browser Forum Ballot SC-081v3 — down from 398 days, and scheduled to drop to 100 days in 2027 and 47 in 2029.
Q: Does a wildcard cover multiple levels of subdomains?
No. *.example.com matches one level, like mail.example.com, but not a.b.example.com. Multi-level coverage needs additional wildcard certificates or explicit SAN entries.
Q: What's the difference between a wildcard and a multi-domain (SAN) certificate?
A wildcard secures one domain plus its first-level subdomains (*.example.com); a multi-domain certificate secures a list of entirely different domains (example.com, example.net) under a single certificate.
Next Steps
Check your current certificate's validation level, issuer, and expiry with the SSL Checker, and confirm any organization details on an OV/EV certificate against a WHOIS Lookup. If you're troubleshooting a broken installation rather than choosing a type, see Common SSL Errors and Fixes, SSL Handshake Failed: Every Error Explained, and TLS Certificate Chain Validation. For certificates secured with CAA records restricting which CAs can issue for your domain, see CAA Records and SSL Explained.