What are the three validation levels for SSL/TLS certificates, and what is different between them?
Domain Validation (DV), Organisation Validation (OV), and Extended Validation (EV) — each requires progressively more verification of the requester's identity by the CA.
| Level | What CA verifies | Issuance time | Browser display |
|---|---|---|---|
| DV — Domain Validation | Only that you control the domain (e.g. email to webmaster, DNS TXT record, file on the site) | Minutes (Let's Encrypt) | Padlock |
| OV — Organisation Validation | Domain control plus real organisation exists (legal entity check) | Days | Padlock + cert details show org name |
| EV — Extended Validation | OV plus physical address, operational existence, signed legal agreements | 1–2 weeks | Padlock (used to be green address bar; mostly removed by browsers) |
What's the same across all three: the cryptography. A DV cert encrypts traffic exactly as strongly as an EV cert. The differences are only in what attribute claims the CA asserts about the subject.
The other axis — coverage:
| Type | Coverage |
|---|---|
| Single-domain | Just example.com |
| Wildcard | *.example.com (any direct subdomain) |
| Multi-domain (SAN) | Up to ~25 different domains listed in Subject Alternative Names |
EV was once highly visible (green address bar) but Chrome (2019) and Safari (2020) removed the visual indicator after research showed users didn't actually distinguish EV from DV in practice. The legal-entity attestation is still there, just not surfaced in the UI.
Tip: For a personal blog or hobby project, a free DV cert from Let's Encrypt is enough — it provides the same encryption strength as a $500/year EV cert. Pay for OV/EV only if your customers/auditors explicitly require it.