Understanding SSL Certificate Authentication & Validation

Feb 10, 2018 Scott Rogers Introduction-To

Like most things, SSL certificates come in several brands and types.

There are two basic functions that SSL/TLS certificates provide: encryption and trust. Today, we're going to talk about certificate trust.

Certification Authorities (CAs) like GeoTrust, DigiCert, and Sectigo (Comodo) vouch for the authenticity of a website by verifying the registration of the site's domain name and sometimes the company or organization behind it. The extent to which information is verified is known as the authentication or validation level.

Currently, there are three major certificate validation levels.

  1. Domain Validation (DV)
  2. Organization Validation (OV)
  3. Extended Validation (EV)

Domain Validation SSL

With a Domain Validated, or DV, certificate, the CA verifies that the person applying for an SSL certificate is the current owner of that domain name and has domain rights. You can verify you own a domain name simply by being able to receive and respond to what's called a Domain-Control-Validation (DCV) email.

DV certs are the easiest and fastest to get, and they cost the least because the backend process for a CA to issue a DV cert can, for the most part, be automated without the need for real human interaction. Every step is computerized, reducing the costs to the CA and you.

The downside to DV certs is that they are only validated at the domain level. The CA has only vouched for the domain but not the company or organization behind the domain. DV certs are great for sites that want to get a cert on their site to give their users a secure session and possibly boost their SEO rankings.

Organization Validation SSL

An Organization Validated, or OV, certificate will display information about your domain name and the registered legal name of your business or organization. Additionally, it will contain the geographical location information for the city, state, and country where your company is registered to do business. We say that OV certs are validated or authenticated at the organization level (rather than just at the domain level).

Extended Validation SSL

Extended Validation, or EV, SSL certificates offer the pinnacle of online trust. EV certs take additional business validation steps beyond what's required of regular OV certs, hence the extended validation moniker.

Fact: Every EV cert is an OV cert but not every OV cert is an EV cert.

EV certs also provide visual trust by way of the "green bar." All popular web browsers participate in acknowledging that EV certs have gone through rigorous CA validation by turning the browser's address bar green and displaying the legal name of the company or organization. EV certificates give users instant comfort and trust by way of easy-to-understand visual cues.

EV Advantages

  • The highest level of trust available today
  • Turns the browser's address bar green
  • Displays the company or organization behind the domain
  • It lets your site users instantly know you are not a fake phishing site
  • Not much more expensive than a regular OV cert

EV Concerns

  • Requires additional vetting and authentication steps that can seem overwhelming at first
  • It can require a little more time to be completed and issued

Which SSL Type Should You Use?

Like my father always said, use the right tool for the job. If you're publishing a blog and want to get on board with the Always-On-SSL (AOSSL) movement and possibly get an SEO boost, I would use a fast, simple, and inexpensive DV certificate. Problem solved.

If, on the other hand, you're operating an e-commerce site that asks for usernames, passwords, credit cards, or any personal, private, or confidential information, then definitely bring out the big EV hammer for the job. Users will feel more comfortable and are more likely to do business with you if you have an EV certificate.