DV, OV, and EV Certificates: Choosing the Right SSL Certificate for Your Site

DV, OV, and EV Certificates: Choosing the Right SSL Certificate for Your Site

Rishav Kumar · November 17, 2024 · 3 min read

If you have shopped for an SSL certificate, you have probably seen DV, OV, and EV listed as options at very different price points. The encryption they provide is identical. The difference is in what the certificate authority verified before issuing the certificate.

DV — Domain Validated

A domain-validated certificate requires only that you prove you control the domain. The CA sends an email to an admin address on the domain, or asks you to add a specific DNS record, or place a file on the web server. Verify any of those and the certificate is issued, often within minutes. Let's Encrypt DV certificates are free and automated.

DV certs are appropriate for most websites. They encrypt traffic between the visitor and the server, which is the primary reason to have HTTPS. What they do not do is confirm who owns or operates the site.

OV — Organization Validated

An OV certificate requires the CA to verify the legal existence of the organization behind the domain. They check that the company is registered, that the domain is registered to or controlled by that company, and that the contact person is authorized to request the certificate. This takes hours to a few days.

OV certificates are common for business sites, government sites, and any context where visitors might want some assurance that there is a real company behind the domain. The certificate contains the organization name, which is visible if someone inspects the cert — though most browsers do not surface this in the UI.

EV — Extended Validation

EV certificates require the most rigorous vetting. The CA verifies legal entity existence, physical address, phone number, and operational status. The process is more involved and more expensive. EV certificates used to show the company name in a green address bar in most browsers.

Modern browsers have largely removed the green bar UI treatment, which has reduced the practical difference between OV and EV from a visitor's perspective. Some organizations still prefer EV for internal compliance or policy reasons, but its visible security signal to end users has diminished.

Wildcard Certificates

A wildcard certificate covers a domain and all of its one-level subdomains. *.example.com covers www.example.com, blog.example.com, api.example.com, and any other subdomain — but not sub.api.example.com (two levels deep). Wildcards are available as DV or OV.

They are useful if you run multiple subdomains on the same domain and do not want to manage separate certificates for each. Let's Encrypt issues free wildcard certs, though the issuance requires DNS validation (you add a TXT record) rather than the simpler HTTP file method.

Multi-Domain (SAN) Certificates

Subject Alternative Name certificates let you cover multiple different domains with a single certificate. One cert might cover example.com, example.co.uk, and othersite.com. Useful for agencies managing many client sites or businesses with multiple domains that land on the same server.

What Most Sites Should Get

For the vast majority of websites, a free Let's Encrypt DV certificate is the right choice. It encrypts traffic, prevents the "Not Secure" browser warning, satisfies Google's HTTPS preference signal, and costs nothing. The additional validation in OV and EV matters for specific organizational or compliance contexts, not for typical websites.

The best certificate is one that renews automatically so you never hit an expiry. Most modern hosts handle this transparently. If yours does not, Let's Encrypt's Certbot tool handles automated renewal on nearly any server.

Back to Blog
Share: