# website monitoring
SSL Certificate Types Explained: DV, OV, EV and Wildcard
Not all SSL certificates are the same. The padlock icon in the browser means HTTPS is active, but there are significant differences in what each certificate type validates, how long they're issued for, and what they cost. Understanding these differences matters — both for choosing the right certificate and for monitoring it effectively.
What SSL Certificates Do
An SSL/TLS certificate serves two purposes:
- Encryption — it enables HTTPS, encrypting traffic between the user's browser and your server
- Authentication — it proves your website is who it claims to be, verified by a Certificate Authority (CA)
All certificate types provide encryption. They differ in how thoroughly the CA verifies the identity of the organisation behind the certificate.
Domain Validation (DV) Certificates
Validation level: Proves you control the domain
Verification method: DNS record or file placed on the domain
Issued in: Minutes to hours
Cost: Free (Let's Encrypt) to ~$100/year
Best for: Blogs, personal sites, APIs, staging environments
DV certificates are the most common type. Certificate Authorities like Let's Encrypt issue them automatically by verifying that you control the domain (by checking a DNS TXT record or an HTTP file on the server). No human review of the company behind the site.
The padlock appears in browsers, but there's no additional identity information — a DV certificate only proves the site owner controls the domain, not who they are.
Monitoring consideration: Let's Encrypt DV certificates expire every 90 days and are designed for automated renewal. Automation can fail, so SSL certificate monitoring with 30-day advance warnings is important even for "auto-renewing" certificates.
Organisation Validation (OV) Certificates
Validation level: Proves organisation identity
Verification method: CA verifies legal existence, physical address, domain ownership
Issued in: 1-3 business days
Cost: ~$100-500/year
Best for: Business websites, e-commerce sites, customer portals
OV certificates involve a manual review process. The CA verifies that your organisation legally exists (checking business registration records), is at the physical address you claim, and owns the domain. This information is embedded in the certificate.
Technically, OV and DV certificates look the same in most browsers — both show a padlock. The difference is visible in the certificate details (click the padlock → Certificate → Subject), where an OV cert shows organisation details.
OV certificates are appropriate for any business site where users might check certificate details for reassurance.
Extended Validation (EV) Certificates
Validation level: Thorough business identity verification
Verification method: CA performs extensive legal and operational checks
Issued in: 1-2 weeks
Cost: ~$200-1000+/year
Best for: Banks, financial services, high-value e-commerce
EV certificates involve the most rigorous verification — CAs check legal existence, operational status, physical address, domain ownership, and more. The organisation name was historically displayed in the browser address bar (the "green bar"), though major browsers have removed this in recent years.
For highly sensitive applications like online banking where user trust is critical, EV certificates remain the standard. Most e-commerce sites and SaaS applications use DV or OV.
Wildcard Certificates
Coverage: One certificate for a domain and all subdomains
Example: *.yourdomain.com covers www, api, app, mail, etc.
Cost: ~$50-300/year (wildcard Let's Encrypt certs are free)
Best for: Applications with many subdomains
A wildcard certificate covers a single domain level beneath the *:
*.yourdomain.comcoversapi.yourdomain.com,www.yourdomain.com,app.yourdomain.com- But does NOT cover
mail.app.yourdomain.com(two levels deep)
For deep subdomain coverage, you need multiple wildcards or a multi-domain (SAN) certificate.
Monitoring consideration: A wildcard certificate is a single certificate monitored once, but affects all your subdomains. If it expires, every subdomain goes down simultaneously — making monitoring even more critical.
Multi-Domain (SAN) Certificates
Coverage: Multiple specific domains in one certificate
Example: yourdomain.com, yourdomain.co.uk, api.yourdomain.com
Cost: Varies, typically priced per domain added
Best for: Organisations with multiple related domains
SAN (Subject Alternative Name) certificates list multiple domains explicitly. Unlike wildcards, you can include completely different domains (not just subdomains).
Choosing the Right Certificate
| Use Case | Recommended Type |
|---|---|
| Personal blog or portfolio | DV (Let's Encrypt) |
| Business website | OV |
| SaaS application | DV or OV |
| API service | DV (Let's Encrypt) |
| Banking / financial services | EV |
| Multiple subdomains | Wildcard DV |
| Multiple domains | SAN / multi-domain |
Certificate Lifespan and Monitoring
Certificate validity periods vary by type:
- Let's Encrypt DV: 90 days (designed for automated renewal)
- Commercial DV/OV/EV: 1 year (since 2020, maximum is 398 days per CA/Browser Forum rules)
The short lifespan of Let's Encrypt certificates is intentional — it forces automation, which reduces the risk of forgetting to renew. But automation isn't perfect.
Monitoring alerts to configure:
- 30 days remaining — email notification
- 14 days remaining — escalated alert
- 7 days remaining — urgent, immediate action required
These thresholds give you enough time to renew manually if automation fails, without constant noise. The full monitoring setup is in SSL certificate monitoring.
What Happens When a Certificate Expires
An expired SSL certificate causes browsers to show a full-page security warning (NET::ERR_CERT_DATE_INVALID in Chrome), blocking most users from accessing your site. For users who proceed past the warning (requiring multiple clicks), all data is still encrypted — but the experience is essentially equivalent to an outage.
Domain Monitor monitors SSL certificate expiry alongside domain expiry and HTTP uptime, giving you advance warning before any certificate becomes a problem.
Monitor all your SSL certificates — DV, OV, EV, and wildcard — at Domain Monitor.
Related Articles
More posts
What Is a Subdomain Takeover and How to Prevent It
A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.
Read moreWhat Is Mean Time to Detect (MTTD)?
Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.
Read moreWhat Is Black Box Monitoring?
Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.