The Validation Spectrum
Not all TLS certificates are created equal. They all encrypt traffic the same way, but they differ in how much the Certificate Authority verifies about you before issuing the cert. This matters for trust, not for security.
Domain Validation (DV)
DV certificates verify one thing: you control the domain. The CA confirms this through one of three methods:
- HTTP challenge -- Place a specific file at
http://yourdomain.com/.well-known/acme-challenge/TOKEN. - DNS challenge -- Add a TXT record to your domain's DNS.
- Email challenge -- Respond to an email sent to
admin@yourdomain.com(or similar).
That's it. No phone calls, no paperwork, no identity checks.
When to Use DV
DV is the right choice for most websites, APIs, and internal services. Let's Encrypt issues DV certificates for free, and the entire process is automated via the ACME protocol.
Cost: Free (Let's Encrypt) to ~$10/year (commercial CAs)
Issuance: Minutes (automated)
Trust: Browser shows padlock, no organization info
If you're running a web app, API, or blog, DV is almost certainly what you need.
Organization Validation (OV)
OV certificates verify domain ownership plus the organization behind it. The CA checks business registration documents, phone numbers, and physical addresses before issuing.
When you click the padlock on an OV cert, you can see the organization name in the certificate details. But here's the thing: browsers don't visually distinguish OV from DV. There's no special indicator. Users have to dig into certificate details to see the difference.
Cost: $50-$200/year
Issuance: 1-3 business days
Trust: Same padlock as DV; org info visible in cert details
When to Use OV
OV makes sense when you need to prove organizational identity to auditors or compliance teams -- not to end users. Government sites and enterprise applications sometimes require OV for policy reasons.
Extended Validation (EV)
EV certificates require the most rigorous verification: legal identity, physical address, operational existence, and authorization of the certificate request. The process involves lawyers and notarized documents.
EV used to show the organization name in a green address bar. Browsers removed that in 2019. Chrome, Firefox, Safari, and Edge now display EV certificates identically to DV certificates. The green bar is gone.
Cost: $150-$500+/year
Issuance: 1-2 weeks
Trust: Same padlock as DV and OV; no visible distinction
When to Use EV
Honestly? Rarely. The visual distinction is gone, and DV certificates provide the same encryption. EV still has a niche in code signing (where the identity behind the signature matters) and in industries where compliance mandates it. For web servers, the cost and hassle are hard to justify.
Self-Signed Certificates
A self-signed certificate is one where the issuer and subject are the same entity -- you sign your own certificate instead of having a CA sign it.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Browsers will display a scary warning because the certificate isn't signed by a trusted CA. There's no chain of trust -- the client has no reason to believe the certificate is legitimate.
When to Use Self-Signed
- Local development -- You need HTTPS on
localhostand don't want to set up a real CA. - Internal services -- Services communicating within a private network where you control all clients and can install the CA cert.
- Testing -- Validating TLS configurations, testing certificate parsing, experimenting with different key types.
- CI/CD pipelines -- Automated tests that need TLS without external dependencies.
Self-signed certificates are not appropriate for anything public-facing. Users won't (and shouldn't) click through browser warnings.
getaCert generates self-signed and CA-signed test certificates -- try it now.
Wildcard Certificates
A wildcard certificate covers a domain and all its single-level subdomains using an asterisk:
*.example.com
This matches www.example.com, api.example.com, and staging.example.com. It does not match example.com itself (you need to include that as a separate SAN) and it does not match sub.sub.example.com -- wildcards only cover one level.
When to Use Wildcards
Wildcards are useful when you have many subdomains and want to manage a single certificate. They're common in platform setups where each customer gets a subdomain (customer1.app.com, customer2.app.com).
Cost: Same as the base cert type (DV wildcard, OV wildcard, etc.)
Issuance: Requires DNS challenge (HTTP challenge can't prove wildcard control)
Risk: If the private key leaks, all subdomains are compromised
The security trade-off is real. A single wildcard cert on multiple servers means the private key exists in multiple places. Consider whether separate certificates per service (easily automated with ACME) might be a better fit.
SAN / Multi-Domain Certificates
Subject Alternative Name (SAN) certificates cover multiple specific domains in a single certificate:
X509v3 Subject Alternative Name:
DNS:example.com
DNS:www.example.com
DNS:api.example.com
DNS:example.net
Unlike wildcards, SANs list each domain explicitly. You can mix completely different domains on one cert. Most commercial CAs charge per SAN entry.
When to Use SAN Certificates
- You have a small, known set of domains sharing one server or load balancer.
- You want
example.comandwww.example.comon one cert (this is the most common case -- Let's Encrypt does this by default). - You run multiple domains behind one IP and need them all covered.
In practice, every modern certificate uses SANs. Even a single-domain cert has that domain listed as a SAN entry. The CN field alone hasn't been sufficient for years.
Quick Comparison
| Type | Validates | Visual Indicator | Cost | Issuance Time |
|---|---|---|---|---|
| DV | Domain control | Padlock | Free-$10/yr | Minutes |
| OV | Domain + org identity | Padlock (same as DV) | $50-$200/yr | 1-3 days |
| EV | Domain + org + legal | Padlock (same as DV) | $150-$500+/yr | 1-2 weeks |
| Self-signed | Nothing | Browser warning | Free | Instant |
| Wildcard | Domain (all subdomains) | Padlock | Varies by type | Varies |
| SAN | Multiple domains | Padlock | Varies by type | Varies |
What Should You Choose?
For most developers and most projects: DV certificates from Let's Encrypt. They're free, automated, and provide the same encryption and browser treatment as expensive alternatives.
For development and testing: self-signed certificates. Generate one in seconds, use it locally, throw it away.
For compliance-driven environments: OV or EV, but only because someone in legal or audit requires it, not because it provides better security.
For multi-subdomain setups: wildcards for convenience, or individual DV certs via ACME automation for better security isolation.