Question: What are DV certificates?
Answer: Domain Validated (DV) certificates are SSL certificates that undergo validation on the domain and not on the Organization or extended validation. A DV certificate’s cryptographic strength and security are generally no different from an OV or EV SSL Certificate. DV certificates conform to the X509 standard like any other SSL certificate and are used to secure web communications with HTTPS. DV is the most common validation method for SSL Certificate issuance primarily because it is the simplest method.
The difference between OV and DV and EV is the validation process. Domain validation takes place on the domain and can be automated, making it the quickest and simplest. DV SSL certificates are affordable and depending on the issuing CA have warranties and other support offered with them.
When it comes to choosing the validation method for your SSL Certificate it comes down to the information you want on your certificate in regards to identifying you or your website. DV will have far less information than an OV or EV certificate but will offer the same level of cryptographic strength. That is a common point we make, but essential to realize. The speed in the issuance of a DV SSL Certificate far surpasses that of OV or EV. The saying used to be that you could have your certificate issued in minutes but the reality is it can be issued in seconds. This is done with domain control challenges detailed below.
Check out our SSL Tools to decode your existing DV certificate or to decode any validation type certificate to compare the details.
More questions on DV certificates
What does a DV Certificate look like in a browser?
If a website is protected by a DV SSL Certificate, it will display a small green or gray padlock prefixed with https in the address bar. The user must inspect the certificate further to determine if it is DV, OV, or EV.
What OID (Object Identifier) represents DV on an SSL Certificate?
- 220.127.116.11.2.1: The CA/Browser Forum Domain Validated OID.
- 18.104.22.168.4.1.4146.1.10: GlobalSign DV Policy.
- 2.16.840.1.114412.1.2: Digicert DV Policy.
- This is not an exhaustive list, but if you see any of the listed OIDs in the Certificate Profile section of the SSL certificate it declares the SSL certificate is DV.
What is a Domain Control Challenge?
Domain Control can be proven with challenges, can be automated, and complete within seconds. Examples include the following.
- HTTP-01 challenge: This challenge requires the requester to put a file on their server at a given url, and the CA (Certification authority) verifies that the requester has placed the file. This can be done by a person manually or with a software client.
- DNS-01 challenge: This challenge requires the owner of the domain being validated to create a TXT record on the DNS entry to prove ownership via DNS.
There are other methods for validating domain control, but the above two are the most common.
Why choose DV certificates instead of an OV or EV?
Some websites simply do not need their Organization validated or to undergo extended validation just for an SSL certificate. The cryptographic strength of a DV certificate is equally as strong, and since domain validation occurs much quicker, it makes the most sense to go DV. If an organization wants to show off its brand or organization, then OV or EV may be a better option.
How to determine if a certificate is DV when viewing the decoded certificate?
A general rule of thumb to determine if a certificate is DV, inspect the Subject DN of the certificate. If the subject only contains CN=some_domain, then the certificate is not OV or EV.
Buy DV SSL Certificates
As previously mentioned, the cryptographic strength of a DV certificate is the same as OV or EV, and is also the same across CAs (Certification Authorities). To purchase a DV certificate, determine which CA you would prefer to work with based on their reputation, warranties, cost, etc. We have listed below a few DV Certificates we recommend. For more information, The SSL Store is a good place to get started comparing and buying DV certificates.
As always, let us know in the comments if you have any questions on Domain Validation or DV SSL Certificates.
Leave a Reply