Types of HTTPS Certificates

Last Updated:

Self-Signed

Self-Signed certificates are the most basic. They use the same underlying technology that others do, with the only difference being the information is not verified by a "trusted" organization known as a Certification Authority (CA). Web browsers will NOT see self-signed certificates as secure because you can mis-represent any data. Think of self-signed certificates as having someone take your word, instead of verifying with another person or organization like checking an ID or calling the company itself. This does not make self-signed certificates "bad" and they have their uses, usually internally at a company.

Domain-Validated (DV)

Domain-Validated (DV) certificates are the first level you'll get from Certificate Authorities (CAs). Before CAs "sign" your certificate, they need to verify you actually own the domain you're requesting. To demonstrate control, you'll be asked to have the domain return a random string of characters in DNS or a file. When the CA checks for this random string, they'll know you do control the domain as this would be hard to fake. The reason they do this is to prevent someone from requesting a fraudulent certificate for a big name like Google.com or Amazon.com. Let's Encrypt works on this level.

Wildcard Certificates

Wildcard certificates are the same as Domain-Validated (DV) but allow matching an infinite number of subdomains. Instead of having a normal DV certificate covering "example.com" and "www.example.com", the wildcard would be issued for "*.example.com" and cover any subdomain like "thiswillwork.example.com"

Organization Validated (OV)

Organization Validated (OV) certificates are the same as Domain-Validated (DV), with additional steps to verify the organization. Things like address, phone number, and registration status with local governing bodies will be used. These are not very common because most visitors will not care enough to look for the difference.

Extended Validation (EV)

Extended Validation (EV) certificates are the same as Domain-Validated and Organization Validated, but go even further to confirm the business information listed. The big benefit is the "green bar" shown in browsers, indicating a higher level of trust. This comes with a bigger price tag to cover the costs of verifying all the information as well as add a barrier to malicious use due to much higher costs.

Certificate Appearance

Code-Signing

This is a specialized certificate used to sign executables like programs, drivers, and more. Windows and macOS will look for this signature before running a program to ensure its validity and security. Otherwise, anyone could set up a fake site to look like a big software company and people would be tricked into downloading a piece of malware thinking it is legitimate.

Summary

You'll likely want a Domain-Validated certificate (free or paid), or an Extented-Validation certificate if you want the "green bar" and have an established brand.

Tags: