Certificate Types — DV, OV, EV, And SAN

Walk into any SSL certificate marketplace and you'll see prices ranging from free to $2,000 a year. They all produce the same green padlock. They all use the same TLS protocol. They all encrypt your traffic identically.

So what are you actually paying for? Mostly how hard the CA worked to verify your identity — and a chunk of pure marketing. Let's break it down.

DV — Domain Validated

A DV certificate only proves one thing: you control the domain. The CA gives you a random token, you put it somewhere on the domain (a specific URL, a DNS TXT record), the CA fetches it, certificate issued. Total time: a few minutes, fully automated.

DV is what Let's Encrypt issues. It's also what every other ACME-based free CA issues — ZeroSSL, Buypass, Google Trust Services free tier. DV certs cover:

• About 98% of all HTTPS traffic on the open web in 2026;
• Every CDN-fronted website (Cloudflare, Fastly, CloudFront);
• Almost every modern startup, SaaS, and developer project.

Cost: $0. Issuance time: seconds to minutes. Renewal: automated.

OV — Organization Validated

An OV certificate does everything DV does, plus the CA verifies that your organization legally exists. They check public business registries, sometimes make a phone call to a number listed in those records, and confirm you're authorized to request a certificate on behalf of the company.

The result: the certificate includes the legal company name in the Organization field. A user clicking the padlock can see "Issued to: Acme Corp Inc., San Francisco, CA, US".

In practice, nobody clicks the padlock. OV certs cost ~$50–$300/year and visually look identical to DV certs in every modern browser. They exist mostly for B2B trust and compliance checkbox reasons. Issuance time: 1–3 business days.

EV — Extended Validation

EV used to be the heavyweight. Deeper identity checks, signed corporate documents, multiple verification steps, sometimes weeks of paperwork. The original deal was that EV certificates showed a green address bar with the company's legal name, like "PayPal, Inc. [US]" — a visible "this is the real company" signal.

Then in 2019, every major browser removed the green bar. Studies kept showing users didn't notice it, didn't understand it, and weren't influenced by it. Chrome, Firefox, Safari, and Edge all converged on the same minimal "padlock + URL" treatment.

Today, EV certificates look identical to DV certificates in the browser. They still cost $300–$2,000 per year. They take days or weeks to issue. They serve almost no user-facing purpose. They survive because:

• Some compliance regimes (banking, government) still require them;
• Some procurement processes mandate them;
• They're a profitable product CAs are happy to keep selling.

If you don't have a specific compliance reason, skip EV.

SAN — One Cert, Many Domains

The Subject Alternative Names (SAN) extension lets one certificate cover multiple completely different domains. A single cert can list example.com, example.net, mycorp.io, and random-other-site.dev — all in one. The browser checks that the domain it connected to matches any name in the SAN list.

SAN is no longer optional — it's how all modern certificates work. The old Subject Common Name field that used to hold the domain is deprecated. Browsers stopped reading it years ago. Every CA puts the domain into SAN, even for single-domain certs.

Practical implication: you can put up to 100 domains in a single SAN cert (the practical limit varies by CA). Useful for SaaS that serves many customer domains.

Wildcard — All Subdomains Under One Parent

A wildcard certificate uses *.example.com as a SAN entry, which matches:

• blog.example.com ✓
• shop.example.com ✓
• api.example.com ✓
• example.com itself ✗ (the wildcard doesn't cover the apex — you need to add it explicitly);
• nested.deep.example.com ✗ (wildcards only match one level).

Wildcards are useful when you have many short-lived or auto-generated subdomains and don't want to issue a new cert for each. They were historically expensive ($100–$300/year) but Let's Encrypt issues them for free since 2018, requiring only the DNS-01 challenge.

The "Right Choice" Decision Tree

Most teams overthink this. In 2026:

• Single domain or a handful of named subdomains → DV with SAN (free, ACME-automated);
• Many auto-generated subdomains under one parent → DV wildcard (free, ACME with DNS-01);
• B2B SaaS serving customer domains → DV with SAN, programmatically issued via ACME;
• Hard compliance requirement that explicitly names OV or EV → buy the cert, sigh, move on.

The simple truth: for 98% of websites, free DV with automated renewal is the right answer.

What Goes Into A Cert In Practice

When you generate a Certificate Signing Request (CSR), the CA looks at:

• The public key you generated;
• The domain names you're requesting (all going into SAN);
• The validation results (HTTP-01, DNS-01, or TLS-ALPN-01).

Everything else — the issuer, the validity dates, the signature algorithm — is filled in by the CA. The result is a leaf certificate signed by an intermediate.