SSL/TLS certificate types

Working for a company that sells SSL/TLS certificates, I noticed that this field is often very confusing when you approach it for the first time. One of the most unclear topic is the number of available certificate types. In this article I'll quickly explain the differences between the various types you may want to use to secure a website.

In general, you can group SSL/TLS certificates by validation type or secured domains (sometimes called hostnames).

SSL Certificates by Validation Type

There are three types of certificates: domain validated (DV), organization validated (OV), and extended validation (EV). The validation type determines the method adopted by the Certificate Authority to confirm the identity of the certificate applicant.

Any certificate offers the same level of security and protection regardless the validation type. However, some businesses may require a specific validation level in order to apply for certain services. For example, a payment system may force a customer to purchase a extended validation certificate instead of a domain validated certificate to ensure the legal existence of the company operating the business.

Domain Validated SSL Certificates

The Domain Validated (DV) certificate validates that the domain is registered and someone with admin rights is aware of and approves the certificate request.

The validation process is generally performed using one of the following challenges:

  • email: the certificate authority sends an approval email to one of the administrative email recipients for the certificate. The owner validates the ownership by clicking on a link included in the email. The assumption is that if someone has access to one of the administrative emails or the email listed as registrant for the domain, then it has the ownership (and the rights) to request a certificate for the domain.
  • DNS: the owner validates the ownership creating a special DNS record attached to the domain, as requested by the certificate authority. In general, the DNS record is either a TXT or a CNAME, the name is a specific name or a hashed-version of the CSR, and the content is a unique token or a hashed-version of the CSR.
  • HTTP: the owner validates the ownership creating a text file, as requested by the certificate authority, and saves the file in the public web root of the domain.

The validation can take from a few minutes to a few hours.

The Domain Validated SSL certificate is the most common SSL certificate type because it's fast to purchase. This validation type is sufficient for the majority of businesses and cheaper compared to Company or Extended validations.

If the certificate is valid and signed by a trusted authority, the browsers indicate a successfully secured HTTPS connection.

Organization Validated SSL Certificates

The Organization Validated (OV) certificate validates the domain ownership, plus organization information included in the certificate such as name, city, state and country.

The validation process is similar to the domain validated certificate, but it requires additional documentation to certify the company identity.

The order can take from a few hours to a few days, due to the company validation process.

The Organization Validated SSL Certificates display the company information in the certificate details.

Extended Validation SSL Certificates

The Extended Validation (EV) certificate requires an extended validation of the business. It validates domain ownership and organization information, plus the legal existence of the organization. It also validates that the organization is aware of the SSL certificate request and approves it.

The validation requires documentation to certify the company identity plus a set of additional steps and checks.

The order can take from a few days to a few weeks, due to the extended validation process.

The Extended Validation SSL Certificates are generally identified with a green address bar in the browser containing the company name.

Extended Validation (EV) "Wildcard" SSL certificates don't exist

The Extended Validation (EV) SSL certificates provide a higher level of assurance compared to the other types of SSL certificates. In order to ensure that EV SSL certificates are not misused after issuance, the regulatory body governing the issuance of EV SSL certificates requires the validation of every hostname assigned to the certificate. Therefore, it's not possible to purchase a wildcard EV SSL certificate.

SSL Certificates by Secured Domains

An SSL certificate is associated to one or more subdomains belonging to one or more domains. The list of secured subdomains is attached to the certificate when it is issued and restricts the scope of a certificate.

Domains or subdomains not included in the list are not secured by the certificate. Trying to use the certificate for a subdomain outside its scope will generate a security warning in the browser.

Single-name SSL Certificates

Single-name SSL certificates protects a single subdomain (hostname). For example, if you purchase a certificate for www.example.com it will not secure mail.example.com.

There is only one common exception. Certificate authorities normally release certificates for the root domain (example.com) if you purchase a single-name certificate for the www hostname (www.example.com). This is not a standard, check the provider documentation.

Wildcard SSL Certificates

Single-name SSL certificates protects an unlimited number of subdomains of a single domain. For example, if you purchase a certificate for *.example.com if will secure foo.example.com, bar.example.com, etc. It will not secure foo.else.example.com.

Wildcard certificates are forbidden for Extended Validation certificates. See the section above about Extended Validation for more information.

Multi-Domain SSL Certificates

Multi-domains SSL certificates protects different domains with a single certificate. The number of domains included depends on the certificate authority. You can normally secure a combination of different subdomains from different domains.

Shared SSL Certificates

Shared SSL certificate are normally offered by hosting companies as a way to secure websites under a specific domain name. For example, in Heroku each application is provided with a .herokuapp.com hostname. Heroku offers a free shared certificate you can enable as long as your app is reachable with the shared hostname.

You can think a shared SSL certificate as a wildcard certificate purchased by a hosting company and made available to your app as long as they are hosted under the shared domain name provided by the hosting company itself.

Security

It's important to remember that the validation level and the number of secured domains don't affect the security level offered by an SSL certificate. All certificates work with the following encryption principle.