Skip to main content
DNSnexus
Free Developer Tools
DNS
Email
Network
Webmaster
Security
IP
Guides
Live Tools
60+
Categories
6
Result URLs
Shareable
Availability
24/7
DNSnexus
Free Developer Tools
Free DNS, email, network, and security diagnostics with crawlable tool pages and shareable result URLs.
Run DNS CheckBrowse All Tools
Popular Tools
DNS Propagation CheckerDNS LookupWHOIS LookupSPF Record CheckerDMARC CheckerSSL Certificate CheckerPort Scanner
Quick Path
Fix Email Deliverability
Quick Path
Troubleshoot DNS Changes
Quick Path
Validate SSL & Open Ports
DNS Tools
A Record LookupAAAA Record LookupCERT LookupCNAME LookupDNS CheckDNS LookupDNS Propagation CheckerDNSKEY LookupDS LookupIPSECKEY LookupLOC LookupNS LookupNSEC LookupNSEC3PARAM LookupReverse DNS LookupRRSIG LookupSOA LookupSRV LookupTXT LookupWHOIS Lookup
Email Tools
BIMI LookupBlacklist CheckDKIM CheckerDMARC CheckerDMARC Report AnalyzerEmail Deliverability ReportEmail Header AnalyzerEmail Health ReportGoogle/Yahoo Compliance CheckerMicrosoft Compliance CheckerMTA-STS LookupMX Record LookupSMTP TestSPF Record Checker
Network Tools
HTTP LookupHTTPS LookupMAC Address GeneratorMAC Address LookupOnline TraceroutePingSubnet Calculator
Webmaster Tools
HTTP Headers CheckSearch Presence CheckWebsite Link AnalyzerWebsite Operating System CheckWebsite Redirect CheckerWhat is My User Agent?
Security Tools
DKIM Record GeneratorDMARC GeneratorDomain DNS Security CheckEmail Security CheckerPort ScannerSPF GeneratorSSL Certificate CheckerWebsite Vulnerability Scanner
IP Tools
ARIN LookupASN LookupIP Blacklist CheckIP Geolocation LookupWhat Is My IP
Company
All Tools DirectoryGuides & PlaybooksAbout DNSnexusContactAPI DocsPrivacy PolicyTerms & ConditionsCookie Policy
© 2026 DNSnexus — DNS, Email, Network & Security Tool Platform
All ToolsAboutContactPrivacyTerms
Home › Guides › Security Checks › SSL Certificate Types: DV vs OV vs EV vs Wildcard
Security Checks•11 min•Published 2026-07-14

SSL Certificate Types: DV vs OV vs EV vs Wildcard

SSL certificate types split along two independent axes that get conflated constantly: validation level (how thoroughly the certificate authority checks who you are — DV, OV, or EV) and domain coverage (how many hostnames one certificate protects — single, wildcard, or multi-domain). Picking the wrong combination either wastes money on verification you don't need or leaves subdomains unprotected.

Quick Answer
There are three validation levels — DV (domain control only, issued in minutes), OV (verified business identity, 1–3 days), and EV (full legal vetting, no longer shown differently in browsers since 2019) — plus two coverage types, Wildcard (one domain + its subdomains) and Multi-Domain/SAN (several distinct domains on one certificate). Most sites need DV; EV wildcards don't exist.

SSL Certificate Types at a Glance

TypeValidation LevelIssuance TimeTypical Cost/yrBest For
DV (Domain Validated)Domain control onlyMinutes, automatedFree–$15Blogs, internal tools, staging, most sites
OV (Organization Validated)Domain + verified business identity1–3 business days$60–150Commercial/public-facing business sites
EV (Extended Validation)Domain + rigorous legal/operational vetting3–5+ business days$150–300+Banking, regulated industries, procurement requirements
WildcardDV or OV only — never EVSame as base level$70–200One domain + unlimited first-level subdomains
Multi-Domain (SAN)DV, OV, or EVSame as base level$100–300+Several distinct domains under one certificate

Validation level and coverage type are chosen independently — for example, a DV wildcard and an OV wildcard both exist, but an EV wildcard does not, because the CA/Browser Forum's EV Guidelines prohibit wildcard characters outright.

The cost spread across these tiers reflects labor, not cryptography. A DV certificate costs little or nothing because the entire process — proving domain control, issuing the cert, signing it — runs through an automated challenge-response with no human review. OV and EV certificates cost more because a CA employee has to manually cross-reference business registries, verify addresses, and in EV's case, call the company to confirm the requester's employment and authority to act on the organization's behalf. You're paying for that labor, once, at issuance — not for a stronger handshake.

What Is a Domain Validated (DV) Certificate?

A DV certificate proves only that whoever requested it controls the domain being secured — nothing about the business behind it. Per the CA/Browser Forum Baseline Requirements, the certificate authority confirms control through an automated challenge: an HTTP file placed at a specific path, a DNS TXT record, or a reply to an address like admin@example.com. Let's Encrypt and other ACME-based CAs (protocol defined in RFC 8555) issue DV certificates exclusively, because they can't automate the human verification steps OV and EV require.

DV certificates use the same encryption strength as OV and EV — a minimum of RSA 2048-bit or ECDSA P-256, per Baseline Requirements — and are the correct choice for most websites, including anything that doesn't need to prove a legal business identity to visitors.

Because domain-control challenges are entirely machine-verifiable, DV is also the only validation level that scales to thousands of certificates without adding headcount. A hosting provider issuing a unique certificate per customer subdomain, or a platform auto-provisioning TLS for every new tenant, relies on DV for exactly this reason — there's no manual review step to bottleneck the pipeline.

What Is an Organization Validated (OV) Certificate?

OV adds a verified business-identity layer on top of domain control. The CA checks the organization's legal name and physical address against government business registries or a Qualified Independent Information Source (QIIS), and embeds that data in the certificate's Subject field as O= (organization), L= (locality), and C= (country). Issuance takes 1–3 business days because a human reviewer, not an automated challenge, confirms the paperwork.

OV is the standard choice for a commercial website that wants a verifiable organizational record attached to its certificate — useful for procurement checklists, B2B trust, and compliance frameworks that specifically require organization-vetted certificates, even though it produces no distinct visual signal in the browser UI.

Because OV re-verification still requires a human reviewer at renewal time, it doesn't automate as cleanly as DV through ACME. Some CAs offer limited validation-data reuse to shorten repeat verification, but the initial manual check can't be skipped entirely — a constraint that matters more as the industry-wide maximum certificate lifetime keeps shrinking (covered below).

What Is an Extended Validation (EV) Certificate?

EV is the strictest tier. Per the CA/Browser Forum EV Guidelines, issuing an EV certificate requires confirming legal existence, physical business presence, operational status, domain control, and signer authorization — often via a Verified Legal Opinion letter or direct government-registry lookup, plus an anti-phishing blacklist check on the organization and domain. That's why EV issuance commonly takes 3–5+ business days.

Historically, EV certificates triggered a green address bar showing the organization's name — the reason EV commanded a price premium. That UI is gone: Chrome removed the green coloring in version 69 (September 2018) and dropped the organization name from the address bar entirely in version 77 (September 2019); Firefox and other major browsers matched the change the same year. The verified organization data still exists — it's visible by clicking the padlock icon — but there's no longer a passive visual cue distinguishing EV from DV or OV at a glance. EV still has legitimate uses in regulated industries and vendor-compliance contexts that specifically mandate it, but "customers will notice the green bar" is no longer a valid reason to buy one.

What's the Difference Between a Wildcard and a Multi-Domain Certificate?

Wildcard and multi-domain (SAN) certificates solve different coverage problems and are frequently confused.

A wildcard certificate (*.example.com) secures the base domain plus every first-level subdomain — www.example.com, mail.example.com, blog.example.com — under one certificate. It does not cover the bare apex domain (example.com) automatically; most CAs bundle a SAN entry for the apex by default, but this isn't guaranteed by every issuer, so check before deploying. It also does not match a second-level subdomain like a.b.example.com — the wildcard only matches one label deep.

A multi-domain (SAN) certificate, sometimes called a Unified Communications Certificate (UCC), lists entirely separate domains — example.com, example.net, example.org — as Subject Alternative Names on a single certificate. It's built for organizations managing several distinct properties without issuing and rotating a separate certificate for each one.

Both coverage types can be layered with DV or OV validation. Neither can be issued as EV: the CA/Browser Forum EV Guidelines explicitly forbid wildcard characters in Extended Validation certificates, and while EV certificates can technically carry multiple SAN entries, each additional domain requires its own full legal-vetting pass, which most CAs don't offer as a standard product.

DV vs OV vs EV: Key Differences That Actually Matter

The encryption is identical across all three levels — TLS handshake strength, cipher suite support, and minimum key size don't change based on validation tier. What actually differs:

  • What's verified. DV confirms domain control. OV adds legal business identity. EV adds physical presence, operational history, and signer authorization.
  • Issuance speed. DV is minutes and fully automatable via ACME. OV and EV require a human reviewer and take days.
  • Where the data surfaces. DV shows only a CN= (common name) in the certificate subject. OV and EV add O=, L=, and C= fields — visible in certificate details, not in passive browser chrome.
  • Automation compatibility. DV fits into CI/CD and auto-renewal pipelines cleanly. OV and EV re-verification steps resist full automation, which matters more as maximum validity periods shrink (see below).

Which SSL Certificate Type Should You Choose?

  • DV — personal sites, blogs, internal tools, staging environments, and the large majority of commercial sites that don't have a specific compliance requirement for organization-vetted certificates. If you're deploying through a CI/CD pipeline or an ACME client like Certbot, DV is also the only tier that fits cleanly into fully automated issuance and renewal.
  • OV — public-facing business sites where a verifiable organizational record matters for B2B trust or procurement, without needing EV's full legal-vetting depth. Common for SaaS vendors, agencies, and mid-size businesses that get asked "is your certificate organization-validated?" during a client security review.
  • EV — regulated industries (banking, healthcare, insurance) or vendor/compliance frameworks that explicitly mandate Extended Validation, regardless of the missing browser UI signal. Choose EV when a specific contract, auditor, or regulator requires it by name — not as a default upgrade from OV.
  • Wildcard — one domain with many first-level subdomains under common management (e.g., a SaaS product issuing per-customer subdomains, or an internal platform spinning up *.staging.example.com environments on demand).
  • Multi-Domain (SAN) — an organization operating several distinct domains, such as regional TLDs or rebrand variants, that should renew and rotate together instead of being managed as separate certificate lifecycles.

Run the SSL Checker against your current certificate to see its validation level, issuer, and expiry before deciding whether to change type.

How Do You Check Which Certificate Type a Site Is Using?

The certificate's Subject field tells you the validation level directly — presence of an O= field means OV or EV; its absence means DV.

Code
# Pull the certificate and print subject, issuer, and validity dates
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates
Code
subject=C=US, O=Example Corp, L=San Francisco, ST=California, CN=example.com
issuer=C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
notBefore=Jan 10 00:00:00 2026 GMT
notAfter=Jul 29 23:59:59 2026 GMT

A subject= line with only CN=example.com and no O= field means DV. To confirm which specific domains and subdomains a certificate covers, list its SAN entries:

Code
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -ext subjectAltName

If you'd rather not use a terminal, the SSL Checker surfaces the same subject, issuer, validity window, and SAN list in one lookup. To confirm the organization details on an OV or EV certificate actually match the registered business, cross-reference them with a WHOIS Lookup on the domain.

Why Certificate Type Choice Matters More in 2026

The CA/Browser Forum's Ballot SC-081v3 is phasing maximum public TLS certificate validity down on a fixed schedule, and it applies equally to DV, OV, and EV:

Effective DateMax Certificate ValidityMax Domain-Validation Reuse
Before Mar 15, 2026398 days398 days
Mar 15, 2026 (current)200 days200 days
Mar 15, 2027100 days100 days
Mar 15, 202947 days10 days

As of this writing, the maximum is already 200 days — down from the 398-day ceiling most existing guides still quote. This is where validation level starts to matter for operational reasons beyond trust signaling: DV renewal is fully automatable through ACME, so a 47-day cycle in 2029 is a non-event if you're already using Certbot or another ACME client. OV and EV renewal still involves a manual re-verification step at each CA, and that overhead only gets more disruptive as the renewal window shrinks. If you're choosing OV or EV for a new deployment, plan for a certificate-management workflow that can absorb re-validation on a much tighter cadence than the old one-year renewal calendar.

Stop tracking expiry manually. DNSnexus Monitor watches your SSL certificate expiry, DNS records, and email auth, and alerts you before a certificate lapses — increasingly important now that maximum validity is measured in months, not years. Free tier covers one domain.

Common Mistakes When Choosing an SSL Certificate

Assuming EV still shows a visible browser difference. It doesn't, as of Chrome 77 and Firefox's 2019 update. Don't budget for EV expecting a customer-facing trust signal — the verified data is there, but it's a click away, not a color.

Trying to order an EV wildcard. The CA/Browser Forum's EV Guidelines prohibit wildcard characters in Extended Validation certificates outright. If you need EV-level identity vetting across subdomains, you must list each one explicitly as a SAN — or drop to OV, which does support wildcards.

Assuming a wildcard covers the apex domain automatically. *.example.com does not include example.com by definition. Most CAs add the apex as a SAN by default, but confirm it with your issuer rather than assuming.

Planning renewals on a one-year calendar. With the Baseline Requirements cap now at 200 days (dropping to 100 in 2027, 47 in 2029), a certificate issued today won't survive a calendar-year renewal cycle. Automate DV renewal now; build a faster manual process for OV/EV before the 2027 cutover.

Paying for EV expecting a conversion-rate lift. Vendors sold EV for years on the promise that the green address bar increased customer trust and checkout completion. That UI signal has been gone from every major browser since 2019, so any conversion argument for EV today has to rest on the verified organizational record itself — useful for B2B and compliance contexts, not a consumer-facing trust badge.

Key Takeaways

  • ✓ DV, OV, and EV differ in identity verification depth, not encryption strength — all meet the same Baseline Requirements minimum key sizes.
  • ✓ EV certificates cannot be issued as wildcards; the CA/Browser Forum EV Guidelines forbid wildcard characters.
  • ✓ Chrome and Firefox removed the EV green-bar/org-name UI in 2018–2019 — verified identity data now requires clicking the padlock.
  • ✓ As of March 15, 2026, the maximum public TLS certificate validity is 200 days per CA/Browser Forum Ballot SC-081v3, dropping to 100 days in 2027 and 47 in 2029.
  • ✓ A wildcard covers first-level subdomains only — not the apex domain by default, and not deeper subdomain levels.

Frequently Asked Questions

Q: Is a more expensive SSL certificate more secure?

No. Encryption strength — key size, cipher suite — is identical across DV, OV, and EV under CA/Browser Forum Baseline Requirements. The price pays for identity verification work, not stronger cryptography.

Q: Can I get an EV wildcard certificate?

No. The CA/Browser Forum's EV Guidelines explicitly prohibit wildcard characters in Extended Validation certificates — every subdomain must be listed individually as a SAN entry instead.

Q: Does Chrome still show a green bar for EV certificates?

No. Chrome removed the green coloring in version 69 (September 2018) and dropped the organization name from the address bar in version 77 (September 2019); Firefox followed the same year.

Q: Does a wildcard certificate cover the root domain too?

Not automatically. *.example.com secures first-level subdomains only; example.com itself needs a separate SAN entry, which most CAs add by default but not all — verify before deploying.

Q: Can Let's Encrypt issue OV or EV certificates?

No. Let's Encrypt issues DV certificates only, since OV and EV require manual human verification steps that can't be fully automated through the ACME protocol it uses.

Q: How long is an SSL certificate valid in 2026?

A maximum of 200 days for any publicly trusted certificate issued after March 15, 2026, per CA/Browser Forum Ballot SC-081v3 — down from 398 days, and scheduled to drop to 100 days in 2027 and 47 in 2029.

Q: Does a wildcard cover multiple levels of subdomains?

No. *.example.com matches one level, like mail.example.com, but not a.b.example.com. Multi-level coverage needs additional wildcard certificates or explicit SAN entries.

Q: What's the difference between a wildcard and a multi-domain (SAN) certificate?

A wildcard secures one domain plus its first-level subdomains (*.example.com); a multi-domain certificate secures a list of entirely different domains (example.com, example.net) under a single certificate.

Next Steps

Check your current certificate's validation level, issuer, and expiry with the SSL Checker, and confirm any organization details on an OV/EV certificate against a WHOIS Lookup. If you're troubleshooting a broken installation rather than choosing a type, see Common SSL Errors and Fixes, SSL Handshake Failed: Every Error Explained, and TLS Certificate Chain Validation. For certificates secured with CAA records restricting which CAs can issue for your domain, see CAA Records and SSL Explained.

Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.

On this page
  • SSL Certificate Types at a Glance
  • What Is a Domain Validated (DV) Certificate?
  • What Is an Organization Validated (OV) Certificate?
  • What Is an Extended Validation (EV) Certificate?
  • What's the Difference Between a Wildcard and a Multi-Domain Certificate?
  • DV vs OV vs EV: Key Differences That Actually Matter
  • Which SSL Certificate Type Should You Choose?
  • How Do You Check Which Certificate Type a Site Is Using?
  • Why Certificate Type Choice Matters More in 2026
  • Common Mistakes When Choosing an SSL Certificate
  • Key Takeaways
  • Frequently Asked Questions
  • Next Steps
Related links
Ssl CheckerDns LookupWhois LookupCommon Ssl Errors And FixesSsl Handshake FailedTls Certificate Chain Validation
Related Tools
Port Scanner→SSL Certificate Checker→Domain DNS Security Check→SPF Generator→