Domain Validation (DV) SSL certificate is the basic type of SSL certificate in which the Certification Authority (CA) verifies only the applicant’s right to a given domain. This means that only the fact that the domain is under the control of the person or company ordering the certificate is verified – additional organizational data or the identity of the website owner is not checked. As a result, a DV certificate contains only the name of the secured domain, with no information about the website owner. Thanks to the simplified validation procedure, DV certificates are issued the fastest (even within a few minutes) and are usually the cheapest SSL certificates. Their purpose is to provide an encrypted connection for the given domain, confirming the website’s security, but they do not verify the identity of the entity operating the site.
How does a DV SSL certificate work? (encryption and verification)
A DV certificate, like any SSL/TLS certificate, enables an encrypted connection between the user’s browser and the server. It contains the server’s public key and is digitally signed by a trusted Certification Authority. When the browser connects to a secured site (HTTPS), a TLS handshake takes place – establishing the encryption algorithms and keys used for communication. In practice, asymmetric encryption is used (with the DV certificate’s public key for exchanging a secret) and then symmetric encryption is applied to encrypt the transmitted data. DV certificates offer just as strong encryption as other types of certificates (e.g., 256-bit session encryption) – the level of security does not depend on the type of validation but on the protocols and keys used in the connection. After proper installation of the DV certificate, the browser will display a padlock symbol next to the address, indicating a secure connection.
Identity Verification (domain validation): In the case of DV, the Certification Authority verifies only control over the domain (Domain Control Validation). This process is automated – the CA checks whether the entity ordering the certificate actually has control over the domain for which the certificate is to be issued. In practice, this is done through one of several possible mechanisms:
- Email Verification: The CA sends an email to the address associated with the domain (e.g., admin@yourdomain.com or the address from WHOIS) containing a confirmation link. Clicking the link by the domain owner confirms the right to the domain. Traditionally, possessing an administrative email address in that domain (e.g., admin@yourdomain.com, postmaster@yourdomain.com, etc.) is required.
- DNS Verification: The CA requests that a unique record (TXT or CNAME) be added to the DNS zone of the domain. The presence of this record in DNS confirms that the applicant has access to the domain’s configuration.
- HTTP (file) Verification: The CA generates a unique text file that must be placed on the web server at a specified address (e.g., in the /.well-known/pki-validation/ directory). The Certification Authority then checks whether the file is accessible on the site – which confirms control over the website.
Meeting any one of the above conditions is sufficient to obtain DV validation – no documents or verification of company data are required, and the entire process is generally automated. As soon as the CA confirms control over the domain, it issues a certificate containing the name of that domain and signs it with its own key. Browsers trust the DV certificate because it is signed by a trusted Certification Authority that is on the list of trusted root CAs. This allows the user to establish a secure connection to the site without warnings.
The process of obtaining a DV certificate (steps, requirements, time)
Steps to obtain a DV certificate:
- Choosing the provider and type of certificate: First, you must choose a Certification Authority or intermediary (e.g., a hosting provider or a company selling certificates) and a specific DV certificate (e.g., single-domain, wildcard, etc.).
- Generating a CSR (Certificate Signing Request): On the server (or through the provider’s control panel), a private key and a Certificate Signing Request containing, among other things, the domain name, are generated. The CSR is then submitted to the chosen certificate issuer.
- Domain Validation (DCV): The aforementioned Domain Control Validation process is initiated. The applicant must meet the domain verification requirement – most often by clicking a link in an email from the CA, adding a DNS record, or placing a file on the server. For many certificates, simply confirming the link sent to the domain administrator’s address or uploading a file to a specified location is sufficient.
- Issuance of the certificate: After successful verification, the CA generates a DV certificate for the domain. The certificate (a .crt or .pem file containing the signed data) is issued very quickly – usually within a few minutes of validation confirmation. Thanks to automation, the issuance time for a DV certificate is minimized – often taking 2–10 minutes. In some cases, it may take slightly longer (e.g., up to a few hours) if additional manual verification by the issuer is required, but these are exceptional cases.
- Installation of the certificate on the server: The final step is to install the received certificate (along with the corresponding chain of CA intermediate certificates) on the web server hosting the domain. Once properly installed, the site will be accessible via HTTPS and the browser will display a padlock instead of a warning.
Requirements: To obtain a DV certificate, you must own a domain and have the ability to manage it (access to DNS configuration or the email account in that domain or files on the web server). No company registration documents or personal data are required – a DV certificate can be obtained by both a company and an individual, provided they have control over the domain. Technically, it is also necessary to generate a private key and CSR (which can be done independently or by using the automated tools provided by many vendors). It is advisable to ensure that the domain has a properly configured administrative email address or that you have access to the DNS/server panel to quickly carry out the validation.
Process Duration: Obtaining a DV certificate is very fast. Preparing the request (CSR) takes only a few minutes, and the actual validation and issuance of the certificate occur almost immediately after the verification requirement is met. In practice, the entire process from placing the order to receiving the certificate often takes only a few to a dozen minutes. When using automated services (e.g., ACME scripts), the certificate can be issued in as little as a few tens of seconds from the start of validation. In comparison, higher-level certificates (OV, EV) require manual organizational verification, which extends the issuance time to several days or more. DV certificates are therefore the fastest to obtain among all SSL classes.
Advantages and disadvantages of a DV certificate
Advantages of a DV certificate:
- Provides strong encryption: A DV certificate guarantees the same level of connection encryption as more expensive OV or EV certificates – it protects the confidentiality of user data (e.g., passwords, forms) via the HTTPS protocol.
- Rapid issuance: The validation process is automated and very fast. Obtaining a DV certificate usually takes only a few minutes from the moment of domain verification. This means the site can be secured almost immediately, which is beneficial when encryption is urgently needed.
- Low cost: DV certificates are the cheapest on the market – many of them cost only a few dozen zlotys per year. This allows even small sites and hobby pages to implement HTTPS without significant expense.
- No complicated formalities: Issuing a DV certificate does not require presenting documents or undergoing audits – the company’s identity is not verified, eliminating bureaucracy. Verification is carried out online (via email/DNS) without paperwork, which simplifies and speeds up the procedure.
- Universal browser acceptance: A DV certificate issued by a recognized CA is accepted by all popular browsers and devices. The user will see a padlock and avoid warnings about an unsecured site, thereby increasing trust in the website (compared to having no SSL at all).
- Availability of Wildcard and Multi-domain options: Most providers offer DV certificates in various variants – you can secure a single domain, multiple domains (SAN/UCC), or any number of subdomains (wildcard certificate). This allows you to flexibly tailor a DV certificate to your needs (e.g., one DV certificate can secure *.mydomain.com).
Disadvantages of a DV certificate:
- Lack of owner identity verification: The biggest limitation of DV is that it does not confirm the identity of the organization or individual behind the website. The user only sees that the connection is encrypted, but the certificate does not reveal which company or institution specifically owns the site. A DV certificate does not include the company’s name or any other identifying information. This results in a lower level of trust compared to OV/EV certificates, which provide such details.
- Lower credibility for the user: DV is anonymous (apart from the domain name), meaning that internet scammers can also obtain such a certificate for a fake domain. Thus, the padlock next to the address does not guarantee that the site belongs to a trusted company – it only confirms encryption. Users might be misled by seeing a padlock on a phishing site. The absence of a displayed organization name means that DV does not build as much trust as a certificate with organizational validation.
- Lack of additional trust indicators: EV certificates trigger special indicators in browsers (e.g., formerly a green bar with the company name), and providers often offer a visible site seal (security seal) for display on the site. In the case of DV, although some providers offer a static security seal, there are no unique browser indicators aside from the standard padlock.
- Lower financial guarantees: Commercial SSL certificates usually include a financial guarantee in case of CA errors. For DV certificates, these guarantees are relatively low (ranging from $10,000 to approximately $50,000). In comparison, EV certificates can have guarantees reaching millions of dollars, reflecting the difference in the level of trust.
A DV certificate provides basic security (encryption) at minimal cost and time; however, it does not visibly enhance the credibility of the entity. Therefore, it is worth considering the intended purpose – in some cases, the drawbacks of DV (lack of owner verification) may be significant.
Comparison of DV with other types of SSL certificates (OV, EV)
There are three main levels of SSL certificate validation available on the market: DV (Domain Validation), OV (Organization Validation), and EV (Extended Validation). They differ in the scope of pre-issuance verification, the information contained in the certificate, the time and cost of obtaining them, as well as the way they are presented in the browser. The table below presents the key differences between DV, OV, and EV:
Feature | DV (Domain Validation) | OV (Organization Validation) | EV (Extended Validation) |
|---|---|---|---|
Validation Scope | Only domain control – automatic confirmation of domain ownership (DNS/Email/file). No verification of company data. | Verification of the domain and basic organizational data (the identity of the company or institution is verified by the CA based on registers, documents, etc.). | Full, extended verification – the company's registration data, its right to the domain, and often additional documents (e.g., articles of association, bank statement) as well as telephone contact are thoroughly checked. The most rigorous validation. |
Certificate Data | Contains only the domain name. The certificate is anonymous regarding the entity – it does not include the company name or address. | Contains the domain name and the name of the applying organization (and often its country). The company data are visible in the certificate details, confirming who owns the website. | Contains the domain name and the full company details (legal name, country/jurisdiction). The certificate confirms that the company has been thoroughly verified by the CA. |
Issuance Time | Very short: usually a few minutes to an hour. (Process automation). | Average: from several dozen hours to a few days. The time needed for manual verification of company documents – usually 1–3 business days (may be extended if verification is difficult). | Long: the longest issuance time – usually about 7–10 business days, sometimes up to ~2 weeks. This is due to a very detailed, multi-step verification. |
Cost | Cheapest: often free or low cost (around several dozen PLN per year). | Higher: costs more than DV – usually a few hundred PLN per year (due to additional CA verification work). | Most expensive: EV certificates are the costliest – the price can range from a few hundred to several thousand PLN per year, depending on the provider. This is the price for the highest level of trust and verification. |
Browser Presentation | Lock icon next to the address (encrypted connection). No entity name next to the address – the user must check the certificate themselves to determine the owner (which in DV is not provided anyway). | Lock icon. When clicking on the certificate details, the user will also see the name of the organization owning the site, verified by the CA. There is no direct highlighting of the company name in the address bar (in modern browsers). | Lock icon + company name next to the address (formerly a green bar). Browsers display the name of the verified organization next to or after clicking the lock, signaling the highest level of trust. EV thus provides the clearest information about the entity. |
Example Uses | Small websites and internal services: blogs, forums, hobby sites, small shops with simple transactions, personal websites or temporary projects. Also internal services (intranet, mail server, FTP, etc.) where encryption is needed rather than public identification. | Standard corporate websites and e-commerce: business sites, medium-sized online shops, portals requiring login. Anywhere the user should know the name of the company operating the site (to enhance credibility), e.g., online shops that value customer trust, public administration websites, non-profit organizations. | Websites requiring the highest level of trust: banking and financial services, large e-commerce platforms, corporate transaction sites, portals requiring sensitive data input (e.g., insurance systems). Most often chosen by banks, large companies, and highly reputed online shops. Increasingly, medium-sized companies investing in a security image also opt for EV. |
CA Financial Guarantee | Low: DV certificates have small guarantees (e.g., ~$10k – $100k), reflecting the limited liability of the CA in case of erroneous certificate issuance. | Medium: Higher than DV, in the order of several hundred thousand dollars. For example, many OV certificates have guarantees of ~$50k–$250k in case of compromise. | High: The highest guarantees – often > $1 million. Top EV certificates can have warranties reaching several million USD, providing additional protection for users (although in practice users rarely pay attention to this). |
(OV sometimes also appears in the variant IV (Individual Validation) – validation of the identity of a natural person instead of an organization, as seen with certificates for sole proprietors. The principles are analogous to OV).
Main differences:
DV – provides only encryption and confirms control over the domain – it is the fastest and cheapest, but does not provide any information about the website owner beyond the domain.
OV – increases trust because the organization’s name appears in the certificate, but it does not offer as prominent an indicator as EV; its issuance takes longer and costs more.
EV – offers the highest level of verification and the most recognizable security indicator (the company’s name next to the padlock), building maximum user trust – at the cost of a lengthy procedure and high price.
The choice depends on the needs: for a simple blog, DV is sufficient, but for a bank, EV is required.
When is it advisable to use a DV certificate?
A DV certificate is effective in situations where an encrypted connection is needed, but strong authentication of the website owner’s identity is not necessary. It is recommended for:
- Simple websites and personal projects: Blogs, personal pages, small news sites, portfolios, discussion forums, or hobby sites. DV will provide encryption (protecting logins, comments, etc.) without unnecessary formalities.
- Small businesses and startups: Small business websites, local enterprises, or new projects can benefit from DV at the start. This allows you to obtain HTTPS and a padlock quickly and inexpensively – preventing “Unsecured site” warnings. For a small online store that is just beginning, DV may be sufficient initially (e.g., providing encryption for the login page or a simple shopping cart).
- Testing and internal environments: DV is ideal for securing test servers, development sites, company intranets, extranets for partners, or mail and FTP servers. In these cases, the primary concern is data confidentiality, and the public identity of the site is not important.
- Temporary and low-risk services: If you are launching a temporary marketing campaign on a separate domain, a web application prototype, an event page, etc., a DV certificate will provide the necessary minimum (an encrypted connection) without waiting for organizational validation.
- Mass automation: Large platforms (e.g., hosting providers, blogging platforms) often use DV for convenience. This allows hundreds of thousands of sites to quickly obtain encryption, which would be unfeasible with the EV model.
Examples of sites using DV: Many popular sites use DV certificates. For instance, blogs on WordPress.com or Blogger, sites hosted on GitHub Pages, and numerous small online stores use DV. Additionally, some larger sites that do not require the brand to be displayed in the certificate opt for DV – for example, Wikipedia or projects of the Wikimedia Foundation. Moreover, many sites using CDN/Proxy services (like Cloudflare) employ automated DV to encrypt connections with users.
Of course, when it comes to building trust in identity, it is worth considering OV or EV. However, in most everyday applications (especially where the user does not expect to see the company name next to the padlock), a DV certificate is entirely sufficient to secure data transmission.
When choosing a provider, it is important to consider the renewal price (often promotions apply to the first year, and renewal may be more expensive), the validity period (most commercial DV certificates can currently be purchased for a maximum of 1 year due to browser restrictions, with longer periods possible through certificate subscription), the level of guarantee (whether the CA’s financial liability is important to you), as well as support and ease of installation. Companies that value technical support and additional options may opt for inexpensive DV certificates from reputable CAs such as Sectigo or Certum. Regardless of the provider, any DV certificate from a trusted authority will fulfill its basic role – enabling a secure, encrypted HTTPS connection and removing security warnings, which is the current standard for a professionally run website.