Question: What is an OV certificate?
Answer: Organization Validated (OV) certificates are SSL certificates that undergo validation on the Organization rather than the domain. OV is not as extensive as Extended Validation (EV) but is more extensive than Domain Validation (DV). The cryptographic strength and security of an EV certificate are no different than a DV or EV SSL Certificate. OV certificates conform to the X509 standard just like any other SSL certificate and are used for secure web communications with HTTPS.
The difference between OV and DV and EV is the validation process. Organization Validation verifies the identity of an organization and not just the domain. For example, a business, nonprofit, government, or some other type of organization will be validated by their organization which may own many different domains. This process requires manual validation. While many SSL server certificates are OV, other SSL certificates are common candidates, including code signing, document signing, and S/MIME certificates.
Some organizations also undergo Organization Validation when issuing many certificates for many domains from one account. The organization may complete OV one time and then issue as many certificates as they wish under that same validation. The organization will still likely need to renew Domain Control Validation (DCV) each year for the organization’s domains. Sectigo Certificate Manager provides a product to serve this purpose.
Check out our SSL Tools to decode your existing OV certificate or to decode any validation type certificate to compare the details. We will go into more detail below but look at the Certificate Profile section and the Subject DN to get started differentiating the certificate types.
More questions on OV certificates
What does an OV Certificate look like in a browser?
If a website is protected with an OV SSL Certificate, it will display a small green or gray padlock prefixed with https in the address bar. As for differentiating between DV and OV, the client will need to inspect further to discover the difference. The screenshots below will guide you through how to determine whether or not an SSL certificate is Organization Validated.
What OID (Object Identifier) represents OV on an SSL Certificate?
- 22.214.171.124.2.2: The CA/Browser Forum Organization Validated OID.
- 126.96.36.199.4.1.4146.1.20: Globalsign OV Policy
- 2.16.840.1.114412.1.1: Digi cert OV
This is not an exhaustive list, but if you see any of the listed OIDs in the Certificate Profile section of the SSL certificate it declares the SSL certificate is OV.
Why choose an OV certificate instead of a DV certificate?
Because an OV certificate faces a more involved and thorough vetting process, some argue that it is less likely that a thief, hacker, or unauthorized person will be able to get an SSL certificate for your site. With that said, the client visiting your site may feel more trusting of your site if they have determined it is OV. Having the O= section of the subject DN is in general good practice, so we would recommend getting it over DV.
How to determine an OV certificate from a DV certificate when viewing the decoded certificate?
In the Subject DN of the SSL certificate, if the O=some_organization is populated, then the certificate is at bare minimum an OV certificate and not DV. The certificate may also be EV, as EV validates the organization also.
Buy an OV SSL Certificate
Most CAs (Certificate Authority) sell Organization Validated certificates. The SSL Store will get you started comparing them by each of the CAs all in one place. We have listed a few below to help get you started. Again, the actual cryptography and security are usually equivalent across CAs and all must meet the minimum baseline requirements set forth by the CA Browser Forum.
As always, let us know in the comments if you have any questions on Organization Validation.