Types of SSL Certificates: DV, OV, and EV Explained
Domain Validation, Organization Validation, and Extended Validation SSL certificates compared. Which type you need, what they cost, and what they actually prove.
Not all SSL certificates are created equal. Some take seconds to issue and cost nothing. Others take weeks and cost hundreds of dollars. The difference isn't in the encryption -- they all encrypt your traffic the same way. The difference is in what they prove about who you are. Here's what each type actually does, and which one you need.
The Three Validation Levels
SSL certificates come in three flavors based on how thoroughly the Certificate Authority (CA) checks your identity before issuing the certificate. Think of them as three tiers of background check: a quick ID glance, a phone call to confirm your employer, and a full investigation.
Domain Validation (DV)
DV certificates prove one thing: you control the domain. That's it. The CA doesn't verify who you are, where you're located, or whether your organization is legitimate. It only confirms that you can respond to a challenge on the domain (via DNS record, HTTP file, or email).
Issuance time: Minutes. Fully automated.
Cost: Free (Let's Encrypt, ZeroSSL) to around $10-50/year from commercial CAs.
What users see: A padlock icon in the browser. No organization name. If a user clicks on the certificate details, they'll see the domain name but no company information.
Best for: Personal sites, blogs, small projects, APIs, development environments, and frankly most websites. DV certificates provide the same encryption strength as OV and EV. For the vast majority of use cases, they're all you need.
Let's Encrypt changed everything
Before Let's Encrypt launched in 2015, even basic DV certificates cost money. Let's Encrypt made DV certificates free and automated, which pushed HTTPS adoption from about 40% of web traffic to over 90%. The existence of free DV certificates is arguably the single biggest improvement to web security in the last decade.
Organization Validation (OV)
OV certificates add a layer of identity verification. The CA checks that your organization legally exists by verifying business registration documents, physical address, and phone number. A human at the CA reviews this information before issuing the certificate.
Issuance time: 1-3 business days. Requires human review and sometimes a phone call.
Cost: $50-200/year.
What users see: The same padlock icon as DV. Browsers don't visually distinguish OV from DV in the address bar. Users would have to inspect the certificate details to see the organization name. Most never will.
Best for: Businesses that want the organization name embedded in the certificate for compliance or policy reasons. Some internal corporate policies or industry regulations require OV certificates even though browsers don't treat them differently from DV.
The honest truth about OV: the added value is minimal for most websites. You're paying more and waiting longer for information that almost no visitor will ever see. The encryption is identical to DV.
Extended Validation (EV)
EV certificates require the most thorough vetting. The CA verifies the legal, physical, and operational existence of your organization. They check business registration, verify the applicant's authority to request the certificate, and confirm the organization's physical address through independent sources.
Issuance time: 1-4 weeks. Extensive documentation and multiple verification steps.
Cost: $100-500+/year.
What users see: This is where EV has lost its appeal. EV certificates used to display the company name in a green address bar. As of 2019, all major browsers (Chrome 77, Firefox 70, Safari 12) removed the green bar and the visible organization name from the address bar. EV certificates now show the same padlock as DV and OV. The organization name is buried in the certificate details.
Best for: Financial institutions and large enterprises that need EV for compliance, regulatory, or contractual reasons. From a pure user trust perspective, EV certificates no longer provide a visible advantage over DV.
Comparison at a Glance
| Feature | DV | OV | EV |
|---|---|---|---|
| Validates domain ownership | Yes | Yes | Yes |
| Validates organization | No | Yes | Yes |
| Extensive legal vetting | No | No | Yes |
| Issuance time | Minutes | 1-3 days | 1-4 weeks |
| Typical cost | Free - $50/yr | $50 - $200/yr | $100 - $500+/yr |
| Encryption strength | 256-bit | 256-bit | 256-bit |
| Green address bar | No | No | No (removed in 2019) |
| Org name in cert details | No | Yes | Yes |
| Automation possible | Yes | No | No |
| Free options available | Yes | No | No |
Monitor every type of certificate
DV, OV, or EV -- SSL Certificate Expiry monitors them all and warns you before they expire.
Beyond Validation: Coverage Types
Orthogonal to the validation level (DV, OV, EV), SSL certificates also vary in how many domains they cover. You can get a DV, OV, or EV version of each coverage type.
Single Domain Certificates
Covers exactly one fully qualified domain name (FQDN). A certificate for example.com does NOT cover www.example.com or api.example.com. Most CAs include www as a Subject Alternative Name (SAN) automatically, but don't assume -- check.
Best for: Simple sites with a single domain.
Wildcard Certificates
Covers a domain and all its first-level subdomains. A wildcard certificate for *.example.com covers www.example.com, api.example.com, blog.example.com, and any other subdomain. It does NOT cover example.com itself (most CAs include the bare domain as a SAN) or second-level subdomains like staging.api.example.com.
Best for: Organizations with multiple subdomains that change frequently. Saves the hassle of issuing individual certificates for each subdomain.
Wildcard security trade-off
A wildcard certificate means a single private key protects all your subdomains. If that key is compromised, every subdomain is affected. Some security policies prohibit wildcards for this reason. Weigh the convenience against the risk.
Multi-Domain (SAN) Certificates
Covers multiple specific domain names listed as Subject Alternative Names. A single certificate can cover example.com, example.org, myapp.io, and api.different-domain.com. Each domain is explicitly listed.
Best for: Organizations managing multiple distinct domains that want to consolidate into a single certificate for simpler management.
Multi-Domain Wildcard
The most comprehensive option. Covers multiple wildcard domains on a single certificate. For example, *.example.com, *.example.org, and *.myapp.io on one cert.
Best for: Large organizations with complex domain structures.
Which Certificate Should You Choose?
Let's cut through the noise with practical guidance:
Personal blog or project
Free DV from Let's Encrypt. No reason to spend money. Set up automated renewal and forget about it (almost).
Business website or SaaS
DV is perfectly fine. Your users won't know or care about the validation level. Spend your security budget on things that matter more, like a web application firewall or security headers.
E-commerce handling payments
DV is still fine if you're using a third-party payment processor (Stripe, PayPal). Your payment page is on their domain, not yours. If you're processing cards directly, your PCI QSA may require OV.
Financial institution or large enterprise
Check your compliance requirements. Some regulations and contracts explicitly require OV or EV. If they don't, DV works.
Multiple subdomains
Wildcard DV certificate. Let's Encrypt supports them. Free and automated.
The uncomfortable truth for the certificate industry: DV certificates provide the same encryption as EV certificates. The main beneficiaries of OV and EV pricing are the CAs themselves. Unless you have a specific compliance requirement, DV is almost certainly sufficient.
The Monitoring Question
Regardless of which type you choose, every certificate expires. DV certificates from Let's Encrypt expire every 90 days. Commercial certificates typically last 1 year (the maximum allowed since September 2020, reduced from the previous 2-year maximum).
The shorter the validity period, the more important monitoring becomes. A 90-day certificate gives you less margin for error than a 1-year certificate. And if you're managing multiple domains across different certificate types and CAs, keeping track of all the expiry dates manually is a recipe for missed renewals.
Related Articles
The best SSL certificate is the one that's valid. DV, OV, or EV -- none of them protect your site after they expire.
Never miss an SSL certificate expiry
Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.