Certificate Types (DV, OV, EV)

When you request an SSL certificate, the Certificate Authority has to decide how much effort to spend verifying who you are. This creates three tiers: Domain Validation checks almost nothing, Organization Validation checks your legal identity, and Extended Validation checks everything they can think of.

Here's the thing that matters: the encryption is identical across all three. Every certificate—free DV from Let's Encrypt or $1,500 EV from a premium CA—uses the same cryptographic algorithms. The padlock means the same thing. The security is the same.

The only difference is identity verification. And in 2019, browsers decided that identity verification doesn't actually help users.

Domain Validation: Prove You Control the Domain

DV certificates answer one question: does this person control this domain right now?

The verification is simple and automated. Add a specific DNS record, host a file at a specific URL, or click a link in an email to admin@yourdomain.com. The whole process takes seconds. No human at the CA ever looks at your request.

The certificate contains just the domain name. No company name, no location, no indication of who you are—just that someone who could modify example.com asked for a certificate for example.com.

This is what Let's Encrypt issues for free, and it's what most of the Internet runs on. The encryption is perfect. The identity verification is minimal. For most purposes, that's exactly right.

Organization Validation: Prove You're a Real Company

OV certificates add a layer: the CA verifies that you're a legally registered organization before issuing the certificate.

This means checking business registration databases, potentially calling your listed phone number, confirming your physical address exists, and verifying that the person requesting the certificate is authorized to do so. Someone at the CA actually reviews documentation. The process takes days.

The certificate includes your organization's legal name, city, state, and country. This information is embedded in the certificate itself—anyone who examines the certificate details can see it.

The catch: almost no one examines certificate details. Users see a padlock. They don't click it, don't dig into the Subject field, don't verify your business registration. Browsers display OV certificates identically to DV certificates.

You're paying $50-$300 per year for verification that's invisible during normal browsing.

Extended Validation: Prove Everything

EV certificates represent the maximum identity verification a CA will perform. Legal existence verified through government databases. Physical address confirmed through independent sources. Phone number checked against public directories. Background checks on the organization. Human specialists reviewing everything.

The process can take weeks. You'll submit corporate documentation, possibly notarized letters. The CA treats it like a background investigation.

The certificate contains comprehensive information: full legal name, street address, jurisdiction of incorporation. Everything a CA can verify about who you are.

This used to mean something visible. Browsers displayed a green address bar with your organization name prominently shown. "PayPal, Inc." appeared right in the URL bar. The idea was that users would notice this and feel confident they weren't on a phishing site.

The Green Bar Is Gone

In 2019, Chrome, Firefox, and Safari removed the green address bar. EV certificates now display the same padlock as DV certificates. To see the organization information, users must click the padlock and dig into certificate details.

This wasn't a minor UI change. It was the industry quietly admitting something uncomfortable: the green bar with "PayPal, Inc." displayed prominently wasn't actually helping anyone avoid phishing. Users ignored it. Phishers worked around it. The ceremony of Extended Validation turned out to be exactly that—ceremony.

EV certificates still exist. They still cost $200-$1,500 per year. The verification process is still rigorous. But the visible differentiation—the entire point of paying for EV—is gone.

Why Validation Levels Don't Prevent Phishing

A common misconception: higher validation means more trustworthy sites. This misunderstands what certificates do.

A phisher can get a certificate for app1e.com in thirty seconds. The certificate proves they control app1e.com. It says nothing about whether they're Apple.

SSL certificates authenticate the domain. They prove you're connected to exactly the server you requested. They don't verify that the domain is legitimate, that the content is safe, or that the organization behind it is trustworthy.

A DV certificate for evil-phishing-site.com is doing its job perfectly: encrypting your connection to evil-phishing-site.com. The certificate isn't lying. You're just connecting to a bad place.

EV certificates don't help here because phishers use lookalike domains, not impersonation of existing certificates. The green bar for "PayPal, Inc." doesn't help when the phisher is using paypa1-secure.com with a perfectly valid DV certificate.

What Should You Actually Use?

For most websites: DV certificates. They're free from Let's Encrypt, fully automated, provide identical encryption, and browsers treat them identically to expensive alternatives. The 90-day renewal cycle is handled automatically by ACME clients.

OV certificates make sense in narrow situations: compliance requirements that mandate organizational identity in certificates, business partners who actually examine certificate details, or organizational policy that values the documentation of legal identity.

EV certificates are hard to justify after the browser changes. Unless you have specific compliance requirements mandating EV, you're paying premium prices for verification that's invisible to users. The rigorous background check still happens—it just doesn't result in any visible differentiation.

The Direction of the Industry

Let's Encrypt issues billions of certificates. Certificate lifetimes are shrinking—currently capped at about 13 months, potentially moving shorter. Both trends favor automation, which favors DV.

Some argue that identity verification beyond domain control still matters for accountability and reputation. Others argue that since browsers don't surface it, it's effectively meaningless to users.

The market has mostly decided. DV certificates won. The encryption was always the same—and that's what actually protects users.