SSL Certificate Types: DV, OV, EV — Which One to Choose
An SSL certificate is an essential attribute of any modern website. Without one, browsers display a "Not Secure" warning, search engines lower rankings, and users lose trust. But SSL certificates come in different types, and choosing the right one depends on your business needs.
SSL Certificate Validation Levels
DV — Domain Validation
A DV certificate only confirms that you control the domain. The Certificate Authority verifies this through one of several methods: placing a file on the server, adding a DNS record, or email confirmation. The process takes from a few seconds to a few minutes.
DV characteristics:
- Minimal validation — domain ownership only
- Issued instantly (automatically)
- Free options: Let's Encrypt, ZeroSSL, Buypass Go
- Address bar shows a padlock icon with no additional organization information
- Ideal for personal websites, blogs, and small projects
OV — Organization Validation
An OV certificate confirms not only domain ownership but also the real existence of the organization. The Certificate Authority verifies the company's registration data, legal address, and phone number.
OV characteristics:
- Legal entity verification: registry, address, phone
- Issuance takes 1–3 business days
- Cost: $50–$200 per year
- Organization information is visible in the certificate details
- Recommended for business websites and corporate portals
EV — Extended Validation
An EV certificate requires the most rigorous organization verification. The Certificate Authority verifies legal status, physical address, the right to use the domain, and the authority of the applicant.
EV characteristics:
- The strictest verification according to CA/Browser Forum standards
- Issuance takes 5–14 business days
- Cost: $100–$1,000 per year
- Previously displayed the company name in the address bar (green bar), but since 2019, most browsers have removed this display
- Recommended for banks, payment systems, and large e-commerce stores
Comparison Table
| Parameter | DV | OV | EV |
|---|---|---|---|
| What is verified | Domain | Domain + organization | Domain + organization + extended verification |
| Issuance time | Minutes | 1–3 days | 5–14 days |
| Price | Free — $50 | $50–$200 | $100–$1,000 |
| User trust | Basic | Medium | Maximum |
| Best for | Personal projects, blogs | Business websites | Financial institutions |
| Warranty | None or minimal | $10K–$250K | $500K–$1.75M |
Coverage Types
Single-Domain Certificate
Protects only one domain: example.com. Usually also covers the www variant (www.example.com). The simplest and cheapest option.
Wildcard Certificate
Protects a domain and all its single-level subdomains: *.example.com. Covers blog.example.com, shop.example.com, api.example.com, and any other subdomain. However, it does not cover second-level subdomains (dev.api.example.com).
Wildcard certificates are available for DV and OV levels. EV Wildcard certificates are not issued — this is a restriction of the CA/Browser Forum standards.
Multi-Domain Certificate (SAN/UCC)
A single certificate protects multiple different domains: example.com, example.ru, another-site.com. It uses the Subject Alternative Name (SAN) extension. Convenient when a company has multiple domains.
Let's Encrypt and Free Certificates
Let's Encrypt is a nonprofit Certificate Authority that issues free DV certificates. Since its launch in 2015, it has revolutionized SSL/TLS проверку adoption — today, over 80% of websites use HTTPS.
Advantages of Let's Encrypt
- Completely free
- Automatic issuance and renewal via the ACME protocol
- Supported by all modern browsers
- Wildcard certificate issuance via DNS-01 challenge
- Huge community and numerous tools (Certbot, acme.sh)
Limitations of Let's Encrypt
- DV level only — no organization validation
- Validity period — 90 days (requires automatic renewal)
- Rate limits: 50 certificates per domain per week
- No financial warranty or extended support
- Not suitable for organizations that need OV/EV
Automatic Renewal
Set up automatic renewal via cron:
# Certbot — automatic renewal twice a day
0 0,12 * * * certbot renew --quiet --post-hook "systemctl reload nginx"Without automatic renewal, the certificate will expire after 90 days, and your site will become inaccessible via HTTPS.
How to Check an SSL Certificate
Regular SSL certificate checks help avoid problems:
- enterno.io SSL checker — check the certificate, chain, protocol, and ciphers
- Browser — click the padlock icon in the address bar for basic information
- openssl — for detailed command-line inspection
What to look for when checking:
| Parameter | What to verify |
|---|---|
| Validity period | At least 30 days until expiration |
| Chain of trust | Complete chain from certificate to root CA |
| Domain match | Domain in certificate matches the actual domain |
| TLS protocol | TLS 1.2 or 1.3, no TLS 1.0/1.1 |
| Cipher suites | Modern ciphers, no deprecated ones |
Which Certificate to Choose
For a personal blog or pet project
Let's Encrypt DV — free, automatic, sufficient for basic HTTPS.
For a business website or online store
An OV certificate from a trusted CA (Sectigo, DigiCert, GlobalSign). Organization validation increases trust for B2B clients.
For a bank, payment system, or government service
An EV certificate from a major CA. Maximum verification and financial warranties.
For many subdomains
Wildcard DV (Let's Encrypt) or Wildcard OV (paid). One certificate instead of dozens of individual ones.
For multiple domains
A multi-domain SAN certificate. Simplifies certificate management.
Common SSL Mistakes
- Incomplete certificate chain — intermediate certificate not installed, some clients cannot establish trust
- Mixed content — page loads over HTTPS but fetches resources over HTTP
- Forgotten renewal — certificate expires and the site becomes "not secure"
- Incorrect SNI — server hosts multiple sites and serves the wrong domain's certificate
- Outdated protocols — TLS 1.0 and 1.1 have been considered insecure since 2020
Try It Yourself
Check your website's SSL certificate with the enterno.io SSL checker — find out the certificate type, validity period, chain of trust, and supported protocols.
Check your website right now
Check now →