In this lesson we’ll talk about SSL certificate types, so stick with us if you want to know what EV, DV and OV certificates are, as well as what are Wildcard and SAN SSL certificates.
There are 3 types of SSL based upon a level of identity authentication/validation:
Extended Validation (EV), Organization Validation (OV) and Domain Validation (DV)
What does that mean?
In the first lesson, we said that there are two purposes of SSL certificates: encryption and authentication. All validation levels provide the same encryption level, so no differences there, but they differ based on how many levels of identity checks they’ve passed. Validation level determines how the certificate or the website address will look in browsers.
The procedure for identity verification is defined by the CA/Browser forum. It applies to all CAs and all customers.
EV SSL is recommended SSL certificate type for banks, financial institutions, web shops, high profile brands and other websites that collect sensitive information.
To get the EV SSL, the website owner (which has to be an organization) must:
The identity of the organization must match the official records.
Verified information is written in the certificate and the name of the website owner is visible in the address bar, highlighted in green
OV SSL certificates are recommended for public-facing websites that deal with less sensitive transactions or require log-in.
The verification process for OV SSL is a bit simpler. The CA checks the domain rights, as well as the identity of the organization. The organization has to exist in the official records. Verified information is written in the certificate but the name of the website owner is not visible in the address bar and the padlock icon is not green in every browser.
DV SSL represents the simplest SSL certification. It’s the lowest level of validation. They are recommended for internal websites.
For Domain Validation SSL certificates CA only checks if the entity has domain rights. This type of certificate can be issued to anyone who can prove they have control over the domain, including individuals, and they are issued within minutes.
DV confirms that the domain is registered, and someone with administrative rights is aware of and approves the certificate request, but not the legitimacy of the organization requesting the certificate. In other words, if you bought the domain “faceb00k.com” and requested a certificate for it, you would get the certificate because you own the domain.
A large number of phishing sites with SSL certificate, mostly DV, led to a big argument if the current Google Chrome interface, where all SSL sites are marked as Secure, is misleading. For that reason or another, that indicator will soon disappear from Chrome. OV and DV SSL certificates will only be marked with a padlock icon.
Although Chrome is not the only browser it is the most popular one and Chrome’s actions matter because other browsers follow Chrome’s example, so that whatever was once exclusive to Chrome soon becomes a general standard for all browsers.
SSL certificates usually apply to one domain (or one fully qualified domain name to be precise), but there are exceptions: Wildcard and SAN SSL certificates.
One certificate can secure the unlimited number of same level subdomains (or hosts) that share the same root domain. That kind of certificate is called Wildcard SSL certificate.
Here’s a bit better explanation. Let’s say that your root domain is mydomain.com.
With Wildcard SSL you can secure all its subdomains such as:
Wildcard SSL is generated if you write *. before your domain in the common name field of your CSR. In our example that would look like this: *.mydomain.com.
When it comes to validation type, Wildcard SSL certificates can be DV or OV, but not EV.
The second exception is the SAN/UC SSL certificate.
SAN is for Subject Alternative Name, UC is Unified Communication.
SAN/UC enables you to secure multiple domain names provided that you own all of them, or that you have domain rights.
In the SAN field, you can write for example
It looks as if there is no limitation when it comes to what you can list as SAN, but there is. For most SSL brands you can’t put IP address as SAN nor internal domain.
SAN doesn’t apply to an unlimited number of domains or subdomains, but only to those that you listed in your CSR.
SANs are basically additions to SSL certificates, meaning you can buy an SSL certificate plus as many SANs as you have domain names.
SAN/UC certificates can be DV, OV and EV.