Domain Validation (DV) SSL Certificates Explained
Domain Validation (DV) certificates are the most widely issued type of SSL/TLS certificate. They verify that the certificate applicant controls the domain in question, without validating organizational identity. DV certificates power the majority of HTTPS connections on the internet, driven largely by the availability of free certificates from Certificate Authorities like Let's Encrypt.
This guide covers how DV validation works, when to use it, its limitations, and how it compares to Organization Validation (OV) and Extended Validation (EV) certificates.
What Domain Validation Means
When a Certificate Authority (CA) issues a DV certificate, it confirms one thing: the person or system requesting the certificate has administrative control over the domain. No business name, legal entity, or physical address is verified. The certificate's Subject field contains only the domain name -- no organization information.
This is by design. The purpose of a DV certificate is to enable encrypted communication between client and server. It answers the question "Am I talking to the server that controls example.com?" without answering "Who is the organization behind example.com?"
How DV Validation Works
CAs use one of three methods to confirm domain control, as defined in the CA/Browser Forum Baseline Requirements:
HTTP-01 Challenge
The CA instructs the applicant to serve a specific token at a specific URL path on the domain:
http://example.com/.well-known/acme-challenge/{token}
The CA's validation server fetches this URL. If the correct token is returned, domain control is confirmed. This method requires the domain to have a functioning web server on port 80.
DNS-01 Challenge
The applicant creates a TXT record in the domain's DNS zone with a specific value provided by the CA:
_acme-challenge.example.com. IN TXT "validation-token-here"
The CA queries DNS to verify the record exists. This method works for domains without a web server and is the only method that supports wildcard certificate issuance. Verify your DNS records are configured correctly using our DNS Lookup tool.
Email Validation
Some CAs send a validation email to a predefined address at the domain (such as [email protected], [email protected], or an address listed in the domain's WHOIS record). The applicant clicks a confirmation link to prove they have access to the domain's administrative email.
This method is less common with automated issuance systems like Let's Encrypt, which exclusively use HTTP-01 and DNS-01 challenges.
DV Certificate Characteristics
- Encryption strength. Identical to OV and EV certificates. A DV certificate supports the same cipher suites, key sizes, and TLS protocol versions. A 2048-bit RSA or P-256 ECDSA key on a DV certificate provides the same encryption as one on an EV certificate.
- Issuance speed. Seconds to minutes when automated. No human review is required.
- Cost. Free from Let's Encrypt, ZeroSSL, and others. Paid DV certificates from commercial CAs typically cost under $10/year but offer no technical advantage.
- Validity period. Currently capped at 398 days for paid CAs (per CA/Browser Forum rules) and 90 days for Let's Encrypt. The industry is trending toward shorter validity periods across all certificate types.
- Browser display. A padlock icon in the address bar. No organization name is displayed. Modern browsers show no visible difference between DV, OV, and EV certificates in the address bar.
When to Use DV Certificates
DV certificates are appropriate for:
- Blogs and content sites. No user credentials or payment data are processed.
- API endpoints. Encryption in transit is required, but organizational identity is established through other means (API keys, OAuth).
- Development and staging environments. Quick issuance and free cost make DV ideal for non-production systems.
- Personal and small business websites. The encryption is equivalent, and the cost savings are significant.
- Mail servers. SMTP servers using STARTTLS benefit from DV certificates to encrypt email in transit. The receiving server validates the certificate to ensure it matches the MX hostname.
When DV Is Not Enough
Consider OV or EV certificates when:
- Regulatory requirements demand organizational identity in the certificate. Some compliance frameworks (e.g., PCI DSS for certain use cases) may require certificates that include verified organization details.
- You need to build additional trust with enterprise partners. Some organizations inspect certificates programmatically and require the Organization field to be populated.
- Industry expectations. Financial institutions and government agencies typically use OV or EV certificates by convention, even though the encryption is identical.
DV vs. OV vs. EV Comparison
| Feature | DV | OV | EV |
|---|---|---|---|
| Domain ownership verified | Yes | Yes | Yes |
| Organization verified | No | Yes | Yes (rigorous) |
| Issuance time | Minutes | 1-3 days | 1-2 weeks |
| Cost | Free to ~$10 | $50-$200 | $100-$500+ |
| Browser padlock | Yes | Yes | Yes |
| Organization in certificate | No | Yes | Yes |
| Wildcard available | Yes | Yes | No |
Managing DV Certificates
Because DV certificates are easy and often free to obtain, the primary operational challenge is lifecycle management at scale. Organizations with hundreds of subdomains and services must track expiration dates, automate renewals, and handle re-validation.
Use automated ACME clients (certbot, acme.sh, Caddy's built-in ACME) to handle issuance and renewal. Monitor certificate expiration through your infrastructure monitoring system. A single expired certificate on a mail server or API endpoint can cause cascading failures.
Confirm your domain's DNS configuration supports automated validation by checking your records with our DNS Lookup tool.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.