A complete guide to SSL certificate types

DV, OV, EV, wildcard, multi-domain—SSL certificate types can be confusing. Learn which type you need and why it matters for your website.

Shopping for an SSL certificate can feel overwhelming. Domain validation, organization validation, extended validation, wildcard certificates, multi-domain certificates, SAN certificates—the terminology seems designed to confuse.

But understanding SSL certificate types doesn't have to be complicated. This guide breaks down everything you need to know to make the right choice for your website.

The three validation levels

SSL certificates come in three validation levels: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). The difference lies in how thoroughly the certificate authority verifies your identity before issuing the certificate.

Domain Validation (DV) is the simplest and fastest option. The certificate authority only verifies that you control the domain—typically by asking you to add a DNS record, upload a file to your server, or respond to an email sent to an address at that domain.

DV certificates can be issued in minutes, sometimes automatically. They're the cheapest option (often free through Let's Encrypt) and provide the same encryption strength as more expensive certificates.

The downside? DV certificates don't verify who you are, only that you control the domain. This makes them unsuitable for situations where establishing organizational identity is important.

Organization Validation (OV) adds a layer of verification. Before issuing an OV certificate, the certificate authority confirms that your organization legally exists and that you're authorized to request a certificate on its behalf.

This process typically takes a few days and requires submitting documentation. The resulting certificate includes your organization's name in the certificate details, providing additional trust signals to visitors who check.

OV certificates cost more than DV certificates but less than EV certificates. They're a good middle ground for businesses that want some identity verification without the full EV process.

Extended Validation (EV) is the most rigorous option. Certificate authorities perform extensive background checks, verifying your organization's legal existence, physical location, and operational status. They also confirm that the person requesting the certificate is authorized to do so.

EV certificates used to display the organization name in a green address bar, providing a clear visual trust signal. Browsers have since removed this indicator, reducing the visible difference between EV and other certificate types.

Despite this change, EV certificates still provide the highest level of identity verification. For financial institutions, large e-commerce sites, and other organizations where trust is paramount, EV certificates may still be worthwhile.

Single domain, wildcard, and multi-domain certificates

Beyond validation level, SSL certificates differ in how many domains they cover.

Single domain certificates protect exactly one domain. A certificate for example.com covers only example.com—not www.example.com, not blog.example.com, not any other subdomain.

Most certificate authorities include both the bare domain and the www subdomain in single domain certificates, but you shouldn't assume this. Always check what's included.

Wildcard certificates protect a domain and all its subdomains at one level. A wildcard certificate for *.example.com covers blog.example.com, shop.example.com, api.example.com, and any other subdomain.

However, wildcards only work one level deep. A certificate for *.example.com does not cover dev.api.example.com. You'd need a separate certificate for *.api.example.com or a multi-domain certificate.

Wildcard certificates are convenient for organizations with many subdomains. Instead of managing separate certificates for each subdomain, you maintain one wildcard certificate.

The trade-off is security. If a wildcard certificate is compromised, all subdomains are affected. Some organizations prefer separate certificates for critical subdomains (like payment processing) to limit the blast radius of a potential compromise.

Multi-domain certificates (also called SAN certificates, for Subject Alternative Name) can protect multiple different domains with a single certificate. A multi-domain certificate might cover example.com, example.org, and example.net all in one certificate.

Multi-domain certificates are useful for organizations that operate multiple websites and want to simplify certificate management. They're also necessary for certain use cases, like unified communications servers that need to present multiple domain names.

How to choose the right certificate

The right certificate depends on your specific needs. Here's a simple decision framework.

For personal websites and blogs: A free DV certificate from Let's Encrypt is usually sufficient. You get strong encryption without any cost.

For small business websites: DV certificates work well for most small businesses. If you want the additional trust signal of having your organization name in the certificate, consider an OV certificate.

For e-commerce sites: At minimum, use a DV certificate. If you process payments on your own site (rather than redirecting to a payment processor), consider OV or EV for the additional trust signals.

For financial services and large enterprises: EV certificates provide the highest level of verification. Even though browsers no longer display the green bar, the rigorous verification process may be required for compliance or simply expected by your customers.

For sites with many subdomains: Wildcard certificates simplify management. Consider whether the security trade-offs are acceptable for your use case.

For organizations with multiple domains: Multi-domain certificates reduce the number of certificates you need to manage.

The challenge of managing multiple certificates

As your organization grows, so does your certificate portfolio. What starts as a single certificate for your main website can quickly expand to include:

  • Your primary domain and www subdomain
  • API endpoints
  • Staging and development environments
  • Marketing microsites
  • Internal tools and dashboards
  • Email servers
  • Mobile app backends

Before you know it, you're managing a dozen or more certificates, each with its own expiration date, validation requirements, and renewal process.

This complexity is where things go wrong. A certificate for a critical subdomain expires because it was set up by someone who left the company two years ago. A wildcard certificate renewal fails because the DNS verification process changed. An API endpoint goes down because nobody remembered it had a separate certificate.

Managing multiple certificates doesn't have to be chaos. CheckYourSSL gives you a single dashboard to monitor all your certificates—across domains, subdomains, and servers. Get alerts before any certificate expires, whether it's a simple DV cert or a complex multi-domain setup. Join the beta and take control of your certificate management.

Free vs. paid certificates

Let's Encrypt has revolutionized the SSL market by offering free, automated DV certificates. For many websites, there's no longer any reason to pay for a certificate.

Free certificates from Let's Encrypt provide the same encryption strength as paid alternatives. They're trusted by all major browsers and work for most use cases.

However, there are reasons you might still choose a paid certificate:

Extended validation. Let's Encrypt only offers DV certificates. If you want OV or EV, you'll need to pay.

Warranty. Paid certificates often include warranties that provide financial protection if something goes wrong due to a certificate failure. Free certificates don't include this protection.

Support. When you pay for a certificate, you typically get customer support. With free certificates, you're mostly on your own.

Certificate lifespan. Let's Encrypt certificates are valid for only 90 days, requiring frequent renewal. Paid certificates are typically valid for one year. If you can't automate renewals, longer validity periods reduce the risk of accidental expiration.

Organizational requirements. Some organizations have policies requiring paid certificates from specific vendors.

For most websites, free certificates are perfectly adequate. But evaluate your specific needs before deciding.

Certificate authority reputation matters

Not all certificate authorities are equally trustworthy. Over the years, several CAs have been caught issuing certificates improperly, leading to their certificates being distrusted by browsers.

Stick with well-known, reputable certificate authorities. Major players include:

  • Let's Encrypt (free DV certificates)
  • DigiCert
  • Sectigo (formerly Comodo)
  • GlobalSign
  • GoDaddy

Avoid obscure certificate authorities, especially those offering prices that seem too good to be true. A certificate from a compromised or distrusted CA is worse than no certificate at all.

The certificate lifecycle

Understanding the certificate lifecycle helps you manage certificates effectively.

Issuance: You generate a certificate signing request (CSR), submit it to a certificate authority, complete validation, and receive your certificate.

Installation: You install the certificate on your server, along with any intermediate certificates needed to establish the chain of trust.

Monitoring: You track when the certificate will expire, typically setting alerts for 30, 14, and 7 days before expiration.

Renewal: Before expiration, you repeat the issuance process to get a new certificate. Some services automate this entirely.

Revocation: If a certificate is compromised, you can request revocation to prevent it from being trusted. This is a security measure, not part of the normal lifecycle.

Each stage requires attention. A mistake at any point—losing your private key, failing to install intermediate certificates, missing a renewal deadline—can cause problems.

Conclusion

SSL certificates don't have to be confusing. For most websites, a free DV certificate from Let's Encrypt is the right choice. Organizations with specific trust or compliance requirements might need OV or EV certificates.

Whatever certificate type you choose, the most important thing is keeping it valid. An expired EV certificate provides no more security than an expired DV certificate—both will trigger browser warnings and drive visitors away.

Choose the right certificate, install it correctly, and monitor it diligently. That's the formula for SSL success.