DV, OV, EV SSL — when each matters.
For 95% of sites, Let's Encrypt is fine. Here's how to know whether you're in the other 5%.
Every modern browser shows a padlock for any HTTPS site. The padlock means the connection is encrypted in transit. It does not guarantee the site's owner is who they claim to be. Different certificate tiers verify different things — and most consumers don't notice or care about the difference. Here's when each tier is worth paying for.
DV — Domain Validation
What gets verified: the requester controls the domain (proven by responding to a DNS or HTTP challenge).
Issuance time: 1-10 minutes, fully automated.
Cost: $0 (Let's Encrypt) up to ~$50/yr (paid CAs like Sectigo).
What the browser shows: standard padlock. Nothing else.
DV is what 95% of the web uses. Let's Encrypt issues a few hundred million per year, free. Most modern hosts (Vercel, Netlify, Cloudflare, Hostinger, even your home WordPress install) auto-provision and auto-renew Let's Encrypt with zero configuration.
The cryptographic security of a DV cert from Let's Encrypt is identical to a DV cert from Sectigo or DigiCert costing $50/yr. The math is the same. The only difference is the brand name in the certificate chain.
OV — Organization Validation
What gets verified: domain control PLUS the legal existence of the organization. The CA cross-references your business name against government registries (Dun & Bradstreet, Secretary of State filings, etc.) and may call your published phone number.
Issuance time: 1-3 business days.
Cost: $50-150/yr.
What the browser shows: same padlock as DV. The certificate details (which most users never see) include the verified company name.
OV is for organizations where the certificate details might be reviewed by a security-conscious counterparty. Banks expect to see verified company info if a corporate customer's bank-facing API has SSL. Some enterprise procurement teams require OV for vendor sites.
For consumer-facing sites: OV is invisible. Customers don't click the padlock and check the cert details. Don't pay for OV unless you have a specific reason.
EV — Extended Validation
What gets verified: everything OV checks, plus a much more rigorous identity check — physical existence of the business, legal status, operational existence for at least 3 years, sometimes notarized documents.
Issuance time: 5-10 business days.
Cost: $150-500/yr; Premium EV from DigiCert can run $1,000+/yr.
What the browser shows: until 2019, Chrome and Firefox showed the verified company name in the address bar (the "green bar"). That display was removed in 2019. Today, EV looks identical to DV in the browser UI.
This is the contentious tier. Browser vendors decided the green bar was misleading users into thinking EV-verified sites were inherently safer (they weren't — phishing sites can get EV too if they pretend to be a real-named business). They removed the visual differentiator. CAs continue to sell EV at high prices but the marketing pitch is genuinely weaker now.
When EV still matters:
- Regulated industries (banking, insurance, healthcare) where compliance requires it.
- Enterprise IT policy mandates EV for vendor sites.
- Brand decision: you want every paranoid technical user who clicks the padlock to see your verified name.
Wildcard certs
A wildcard cert covers *.yourdomain.com — every subdomain at one level. Wildcards exist at all three validation tiers (DV / OV / EV). Cost: roughly 4-8x the equivalent single-domain cert.
Pick wildcard when: you spin up subdomains frequently (subdomains per customer, staging environments, microservices) and don't want to manage individual certs for each.
Skip wildcard when: you have 1-3 subdomains. Just issue separate certs (free via Let's Encrypt).
SAN / Multi-domain certs
SAN (Subject Alternative Name) certs cover multiple specific domains in one certificate — e.g., yourdomain.com, yourdomain.io, app.yourdomain.com all on one cert. Useful for consolidating cert management across brands.
The honest decision tree
- Are you running on a modern host (Vercel, Netlify, Cloudflare, Hostinger, AWS Amplify)? Use the free auto-provisioned Let's Encrypt. No SSL purchase needed.
- Self-hosting on a VPS where Let's Encrypt's
certbotworks? Use Let's Encrypt. - Regulated industry requiring OV? Buy a Sectigo OV ($79-99/yr).
- Enterprise customer policy requires EV? Buy a Sectigo or DigiCert EV ($299+/yr).
- Need a wildcard (5+ subdomains)? Sectigo Wildcard DV ($119/yr) — beats managing 20 individual certs.
We sell all four tiers via OpenSRS Trust Service at /account/ssl.php. We don't push them — most customers don't need anything beyond Let's Encrypt and we'll tell you so honestly.