Nexcess.comServers.comLiquidWeb.com
security tab on website
10 min read

Types of SSL certificates and how to choose

Andrej Walilko
Solid Security

Key takeaways

  • SSL certificates differ by validation level and coverage scope.
  • DV, OV, and EV vary by vetting and trust, not core encryption.
  • Single-domain, wildcard, and SAN certificates protect different site setups.
  • The right certificate depends on your site, trust needs, and domain structure.

SSL certificates are easiest to understand when you group them in two ways: validation level and coverage scope. Validation level tells you how much the certificate authority verifies before issuing the certificate (the “height” of the certificate). Coverage scope tells you how many domains or subdomains the certificate protects (the “width” of the certificate).

If you are trying to choose the right certificate for your site, those are the details that matter most.

Ready to get started?

Get website hosting built to help you win.

Explore web hosting services

What SSL certificates do

These digital certificates encrypt data between a user’s browser and your web server, ensuring that sensitive information remains protected.  They operate on the SSL/TLS protocol, facilitating secure connections between web servers and browsers.  That is what allows a site to load over HTTPS instead of HTTP and helps protect logins, payment details, form submissions, and other data in transit.

Technically speaking, an SSL certificate contains: a public key, a private key, the subject, the issuer, a validity period, and a digital signature from the certificate authority. Those pieces work together to verify identity and support encrypted communication between the browser and the server.

How types of SSL certificates are grouped

SSL certificates are grouped in two ways: validation level and coverage scope. Validation level includes Domain Validated, Organization Validated, and Extended Validation certificates. Coverage scope includes single-domain, wildcard, and multi-domain certificates.

These categories are not direct alternatives. One describes what gets validated, and the other describes what gets covered.

SSL certificates by validation level

SSL certificates are categorized into three primary levels of validation, each offering a different degree of vetting and verification.  These levels affect how much identity checking the certificate authority performs before issuing the certificate, and they often influence which sites each type fits best. The higher the vetting level, the more authoritative your certificate appears to the end user.

Note: A higher validation level does not change how secure your new certificate will be; only the amount of vetting performed to validate that your domain is linked to the person or organization ordering the certificate. The security of a certificate, that is its resistance to cracking, is determined by the encryption hash size used to create the request.

DVOVEV
What’s verifiedDomain controlOrganization identityFull identity + exclusive domain rights
Vetting levelMinimalModerateMost rigorous
CostLowestMid-rangeHighest
Speed to issueFastestModerateSlowest
Best forBlogs, info sites, internal projectsCommercial sites collecting customer infoBanks, healthcare, finance, large ecommerce

Domain validation certificates

Domain Validation SSL certificates are the fastest and simplest to issue because the certificate authority verifies control of the domain, not the legal identity of the business behind it, typically with a DNS entry or a temporary file on your website.

Because DV certificates are one of the least expensive and fastest types to obtain, they are often used by blogs, informational websites, internal projects, and smaller web properties that need HTTPS without added validation overhead.

Organization validated certificates

OV certificates verify the organization behind the domain, which gives visitors a higher level of assurance than a DV certificate. To obtain one, the website owner must complete a validation process administered by the certificate authority, which could be a phone call, physical address verification, or legal entity registration.

OV certificates are often used for commercial and public-facing websites that collect customer information. They make sense when the site represents a real business and the operator wants a stronger identity signal than DV alone provides.

Extended validation certificates

The highest-ranking and most expensive SSL certificate type is an Extended Validation Certificate, also sometimes known as “green bar” certificates.  Setting up an EV certificate requires the website owner to undergo a standardized identity verification process to confirm that they have exclusive rights to their domain.  EV certificates involve the most rigorous vetting of the three major validation levels, including signed notarized letters and third-party directory lookups, in addition to the prior levels’ checks.

Since EV certificates are expensive and require an extended verification process, they are used mainly by high-profile websites that require a lot of personal information from their visitors or frequently collect online payments.  Banks, healthcare organizations, financial services companies, and larger ecommerce operations are common examples.

Types of SSL certificates by coverage scope

As websites grow more complex and organizations expand their online presence, the need for flexibility in SSL coverage becomes more important. Different scopes of certificate will allow more flexible setup or simpler management for a multi-domain site fleet. The wider the scope of coverage, the more domain names or subdomains a single certificate can cover.

Single-DomainWildcardMulti-DomainMulti-Domain Wildcard
CoversOne FQDNOne base domain + unlimited subdomainsUp to 100 domains and subdomainsMultiple root domains + their subdomains
Validation levelsAll (DV, OV, EV)DV, OVAll (DV, OV, EV)DV, OV
CostLowestMid-rangeMid-rangeHighest
Best forSmall business sites, personal sites, single-domain ecommerceSites with many first-level subdomains under one domainBusinesses managing multiple branded or country-specific domainsLarger organizations with complex domain structures

Single-domain SSL certificates

Single Domain SSL Certificates secure a single fully qualified domain name (FQDN).  They are the most straightforward option when one site lives on one domain and does not need broad subdomain or multi-domain coverage.

Single Domain SSL Certificates are available in all validation levels and provide a cost-effective solution for websites with a simple structure.  They are a common fit for small business sites, personal websites, and ecommerce stores that operate on one primary domain.

Wildcard SSL certificates

Wildcard SSL certificates are available as both OV and DV and are used to secure a base domain and unlimited subdomains.  The main benefit of purchasing a wildcard certificate is that it’s cheaper than buying several single-domain certificates. 

Wildcard SSL certificates have an asterisk as part of their common name.  For example, *.example.com can secure subdomains such as blog.example.com and account.example.com. That makes wildcard certificates useful when one domain supports many first-level subdomains and you want to manage them under one certificate, or when you have a need to rapidly add new protected subdomains.

Multi-domain SSL certificates

Multi-Domain SSL certificates can secure up to 100 different domain names and subdomains using a single certificate, which can help save time and money.  Businesses have control of the Subject Alternative Name field to add, change, and delete any of the SANs as needed. 

This is the right choice when the business manages multiple branded domains, country-specific domains, or different services that do not live under one shared base domain. Instead of juggling separate certificates for each one, you can manage and renew them together. The expensive process for DV or EV validation could warrant this a good choice for time and cost savings on an organization with co-branded domains.

Multi-domain wildcard SSL certificates

Multi-Domain Wildcard SSL Certificates combine the functionality of Wildcard and Multi-Domain certificates, securing multiple root domains and their subdomains under a single certificate.  They are useful for larger organizations with more complex domain structures, but they also come with more complexity and a higher price than simpler certificate types.

What changes between certificate types, and what does not

The most important difference between SSL certificate types is usually not the core encryption strength. The practical differences are the validation process, the level of trust or identity verification, and how many domains or subdomains the certificate protects.

It also helps to separate a few related terms. 

  • People still say “SSL certificates,” but modern secure connections rely on TLS. HTTPS is the secure version of HTTP, and it uses an SSL/TLS certificate to encrypt traffic. 
  • Port 443 is the common port used for HTTPS traffic. These terms relate to one another, but they are not interchangeable.

What kind of SSL certificate do you need?

If you need to choose quickly, start with two questions: 

  • How much identity validation do I need?
  • How many domains or subdomains do I need to protect?

A basic blog, content site, or small informational website often needs a DV certificate. A business website that wants stronger organizational credibility may need OV. A financial, medical, or high-trust ecommerce site may need EV. For coverage, a single-domain certificate fits one primary domain, a wildcard certificate fits one domain with many subdomains, and a multi-domain certificate fits businesses managing several separate domains.

SSL providers and the idea of the “best” certificate

There is no single best SSL certificate type for every website. The better question is which certificate type matches the site’s validation needs and domain structure. A small content site and a large ecommerce operation should not make the same choice simply because one product has a bigger warranty or a more recognizable certificate authority name.

The provider for your SSL still matters. Support, issuance speed, management experience, renewal handling and notices, and certificate options all affect your day-to-day operations. That is especially true for teams managing several domains, client sites, or business-critical systems where missed renewals or certificate problems create real disruption.

SSL certificate management in the real world

Choosing the right certificate is only part of the job. Installation, renewal, replacement, and validation all matter too. 

The review process for your SSL certificate is straightforward, but it’s essential for reaping the security benefits that all the SSL certificate types provide. Once the certificate is installed, the URLs should load over HTTPS, and the browser should show the expected padlock and certificate details. Liquid Web’s free SSL verification tool is one way to confirm that the certificate is active, valid, and trusted.

It’s also worth being clear about self-signed certificates. Self-Signed SSL Certificates are created and signed by the website owner rather than a trusted Certificate Authority. They can encrypt traffic, but browsers do not trust them by default, which means they trigger warnings for public visitors. That makes them perfectly reasonable for testing or internal environments, but not a good fit for production websites that need public trust.

SSL certificate FAQs

In most cases, yes. The main differences between certificate types come down to provider, validation, trust, and coverage, not stronger or weaker encryption.

Wildcard certificates usually cover first-level subdomains on one base domain, but not different root domains or deeper subdomain levels unless specifically supported. For instance, a certificate for *.domain.com would cover sub.domain.com, but usually not sub.sub.domain.com.

Yes. A multi-domain or SAN certificate can secure multiple separate domain names under one certificate. A single-domain certificate at any level will also usually cover traffic for its www subdomain as well, if that is included with your signing request.

Getting started with SSL certificates

SSL certificates make more sense when you break them into two decisions: how much validation (height) you need and how much coverage (width) you need. DV, OV, and EV describe the level of vetting. Single-domain, wildcard, and multi-domain certificates describe what the certificate protects.

A good next step is to map your site and organization against those two questions before you buy or renew anything. Decide whether your priority is basic encryption, stronger business validation, broader subdomain coverage, or protection for multiple domains.

Once you have this information and are ready to begin the order process, check out https://www.liquidweb.com/help-docs/security/ssl/ordering-an-ssl-certificate/ for the right procedure for your server.

If you want a stronger foundation for site security, performance, and day-to-day management, explore Liquid Web hosting plans and SSL resources. 

Ready to get started?

Get website hosting built to help you win.

Explore web hosting services

Related articles

Solid Security 5 min read
CloudLinux OS: What makes it great for web hosting? Liquid Web
Solid Security 8 min read
What is least privilege? Definition and examples Liquid Web
Ecommerce 17 min read
Top Magento 2 themes Liquid Web
Solutions 5 min read
Introducing the New Liquid Web Global DNS Andrew Hartnett
Solid Security 6 min read
A Deep Dive into CryptoLocker Ransomware Malware and How to Protect Yourself Nick Campbell
Small to Medium-Sized Business 6 min read
Questions You Should Ask Before Partnering With an Infrastructure Provider Adam Williams

Wait! Get exclusive hosting insights

Subscribe to our newsletter and stay ahead of the competition with expert advice from our hosting pros.

Loading form…