SSL Certificate Types Explained: DV, OV, and EV
The padlock was never a trust badge. Here's what an SSL certificate actually buys you, and how DV, OV, and EV really differ.
The little padlock in your browser bar has fooled a lot of people. Site owners assume it means "this business is verified and trustworthy." It doesn't. The padlock means the connection is encrypted, and almost nothing more. Phishing sites have padlocks too. Once you understand that an SSL certificate is an encryption tool first and an identity tool second, the choice between DV, OV, and EV stops being a marketing exercise and becomes a practical decision.
So before you pay for a tier you don't need, it's worth knowing what each one actually validates, and what the padlock has been quietly promising your visitors that it can't deliver.
What an SSL certificate actually does
When someone visits your site over HTTPS, their browser and your server run through a quick negotiation called the TLS handshake. The browser asks for your certificate, checks that a recognized authority signed it, confirms it hasn't expired or been revoked, and then the two sides agree on a fresh set of session keys. From that point on, everything they exchange, passwords, card numbers, form entries, is scrambled in transit.
That encryption is the part everyone benefits from. Without it, anyone sitting between your visitor and your server, on shared Wi-Fi, at an internet provider, can read or alter what passes through. The certificate is what makes the scrambling possible and, just as importantly, proves the keys belong to your domain rather than an impostor who intercepted the request.
The trust comes from the chain. Your certificate is signed by a certificate authority (CA) whose root is already baked into the browser and operating system. The browser walks that chain from your site up to a root it recognizes; if any link is missing or untrusted, the handshake fails. This is why you can't simply mint your own certificate, the browser has no reason to trust a signature it has never seen.
The second job is identity, and this is where the tiers diverge. Every certificate confirms you control the domain. Some go further and confirm that a real, named organization stands behind it. That second layer of checking is the entire reason DV, OV, and EV exist as separate products.
DV, OV, EV: what the validation levels mean
All three encrypt traffic identically. A DV certificate and an EV certificate protect the connection with the same strength. The difference is how hard the certificate authority works to confirm who you are before issuing it.
| Type | Validates | Issued in | Best for |
|---|---|---|---|
| DV (Domain Validation) | That you control the domain | Minutes to a few hours | Blogs, portfolios, brochure sites, most small businesses |
| OV (Organization Validation) | Domain control plus a vetted, registered organization | A few days | Company sites handling user data, login portals, B2B |
| EV (Extended Validation) | Domain control plus rigorous legal and operational checks on the organization | Several days to over a week | Banks, large retailers, regulated industries |
DV is automated. The authority confirms you own the domain, usually by asking you to publish a specific DNS record or respond to an email at an administrative address, then issues the certificate. OV adds human review of business records, confirming the organization is registered and that the people requesting the certificate are connected to it. EV is the strictest, with the authority verifying the legal existence, physical presence, and operational status of the organization against official registries before signing.
Single-domain, wildcard, or multi-domain: a separate choice
Validation level answers "how much does the certificate say about me." Coverage answers a different question: "which hostnames does it protect." You pick one from each axis, and people often confuse the two. A certificate can be DV and wildcard, or OV and single-domain, in any combination.
Single-domain
Covers exactly one hostname, for example shop.yoursite.com. It's the cheapest option and the right call when you genuinely run one site. The catch is that yoursite.com and www.yoursite.com count as two hostnames; most issuers fold the bare root and its www twin together, but never assume, check what the certificate lists.
Wildcard
Covers one domain and every first-level subdomain under it with a single *.yoursite.com entry. That one certificate secures blog.yoursite.com, app.yoursite.com, shop.yoursite.com, and any subdomain you spin up later without reissuing anything. It's the practical choice when you run several subdomains or add them often. Two limits: the wildcard only covers one level, so *.yoursite.com does not secure api.staging.yoursite.com, and because one private key protects every subdomain, that key is a bigger single point of failure if it leaks.
Multi-domain (SAN)
Uses the Subject Alternative Name field to list several distinct domains on one certificate, say yoursite.com, yoursite.co.uk, and yourotherbrand.com together. It suits an organization that runs separate brands or regional domains and wants one certificate to renew instead of five, and you can combine a SAN list with wildcard entries to cover several domains and their subdomains at once.
Do you really need OV or EV?
For the large majority of websites, DV is the right answer, and paying more for OV or EV buys you very little that visitors will ever notice. Years ago, EV certificates lit up the address bar with a green company name. Browsers have since removed that treatment. Today a visitor sees the same padlock whether you bought DV or EV, so the visual prestige argument is gone.
That said, OV and EV still earn their keep in specific situations. If you operate in a regulated sector, a procurement team, insurer, or compliance auditor may require a vetted certificate as a box to tick. Larger organizations sometimes prefer them because the organization name is recorded in the certificate details, which gives security teams something verifiable to point at. If your business depends on convincing cautious partners that you are who you claim, that paper trail has value.
For a personal site, a startup, a local shop, or a content business, none of that applies. A DV certificate encrypts everything just as well, installs faster, and renews without the back-and-forth of organizational vetting. Spend the saved effort on the things that actually move the needle on safety.
SSL mistakes that quietly hurt you
Having a certificate is not the same as being secure. These are the failures that slip past owners who assumed the padlock was the finish line, why each one bites, and how to close it:
- Mixed content. Your page loads over HTTPS but pulls an image, script, or stylesheet over plain HTTP. The browser blocks or downgrades those resources because an attacker could tamper with them, and a single insecure script can compromise the whole page. The fix: switch hardcoded
http://URLs in your templates tohttps://, then watch the browser console for the warnings it prints. - Expired certificates. A lapsed certificate throws a full-screen warning that scares visitors away instantly, because the browser can no longer vouch for the connection. It is one of the most common and most avoidable outages on the web. The fix: never treat a renewal date as something a person will remember, automate it well before expiry.
- No auto-renew. Relying on a human to remember a renewal date is how certificates expire, and short-lived free certificates make the window even tighter. The fix: use a host or ACME client that requests and installs renewals automatically, then verify it actually ran at least once before you trust it.
- No HTTPS redirect. If the HTTP version of your site still loads, visitors and search engines can land on the unencrypted version and never reach the secure one. The fix: force a 301 redirect from every HTTP request to its HTTPS equivalent, and add an HSTS header so browsers stop trying HTTP on return visits.
- Covering only www or only the root. A certificate for
www.yoursite.comthat doesn't also coveryoursite.com(or the reverse) leaves half your visitors staring at an error, depending on which address they typed. The fix: confirm the certificate lists both names, or use a wildcard if you also run subdomains.
A certificate is one layer. For everything around it, secure hosting, software updates, sensible access controls, see our guide to website security that goes beyond the cert itself.
Common questions
Is a free SSL certificate good enough?
For most sites, yes. A free DV certificate encrypts traffic with the same strength as a paid one. The trade-offs are shorter validity periods, which makes auto-renewal essential, and no organizational vetting. If you only need encryption, free DV does the job.
Wildcard or single certificate, which do I need?
If you run a single site on one hostname (with its www counterpart), a single-domain certificate is cheaper and entirely sufficient. Reach for a wildcard once you have, or expect to add, several subdomains like blog, shop, and app, since one *.yoursite.com certificate covers them all and saves you reissuing every time you launch a new one. If instead you manage several separate domains, a multi-domain (SAN) certificate consolidates them. Match coverage to how your hostnames are laid out, not to the most expensive option on the page.
What breaks when a certificate expires?
The connection still encrypts, but the browser can no longer trust the certificate, so it shows a prominent warning before the page loads. Most visitors leave at that point. Search crawlers treat it as a red flag too. Expiry is a self-inflicted outage, which is exactly why auto-renewal matters.
Does an SSL certificate help my search ranking?
HTTPS has been a ranking signal for years, and browsers actively label HTTP pages as "not secure." The SEO lift from any single certificate is modest, but running without HTTPS now costs you trust and visibility in ways that are hard to recover.
Strip away the marketing and the decision is simple. Pick a certificate for the encryption it provides and the identity checking you genuinely need, choose coverage that matches your hostnames, then make sure it redirects properly and renews on its own. For most sites that means a well-configured DV certificate beats an expensive one left to lapse. Browse our SSL certificates and match the validation level to what your site actually requires.
Written by
EnsureDomains Team
