Domain Validation (DV) SSL Certificate
Domain Validation (DV) SSL certificates verify domain ownership only. Learn how DV certs work, when to use them, and how they compare to OV and EV certificates.
A Domain Validation (DV) SSL certificate is the most basic type of TLS certificate available. The Certificate Authority (CA) verifies only that the applicant controls the domain name — no company identity is checked. Because the validation process is automated, DV certificates are typically issued within minutes.
How DV Certificate Validation Works
To issue a DV certificate, the CA proves you control the domain using one of three methods defined by the CA/Browser Forum:
- DNS validation: Add a specific TXT or CNAME record to your DNS zone. The CA queries DNS and verifies it matches the expected value.
- HTTP file validation: Place a specific file at a well-known URL path on your web server. The CA fetches the file over HTTP/HTTPS to confirm control.
- Email validation: The CA sends a validation email to one of five pre-approved addresses for the domain (admin@, webmaster@, hostmaster@, postmaster@, or the registrant email).
What DV Certificates Show in a Browser
A DV certificate activates the padlock icon in the browser address bar and enables HTTPS. The certificate's Subject field contains only the domain name (Common Name / CN). No organization name is embedded in the certificate itself. If you decode a DV certificate, you'll see a bare CN like example.com with no Organization (O) or Locality (L) fields.
When to Use a DV Certificate
DV certificates are appropriate for:
- Personal websites, blogs, and portfolios
- Internal tools and staging environments
- APIs or services where the audience is developers who won't inspect the cert details
- Any use case where speed of issuance and low cost matter more than identity assertion
They are not appropriate for e-commerce checkout pages, banking applications, or any context where users expect to verify the organization behind the site.
DV vs. OV vs. EV: Side-by-Side Comparison
All three certificate types provide the same encryption strength. The difference is entirely about identity assurance — what the CA verifies before issuing.
| Feature | DV | OV | EV |
|---|---|---|---|
| What is verified | Domain control only | Domain + organization identity | Domain + rigorous org vetting |
| Issuance time | Minutes (automated) | 1–3 business days | Days to weeks |
| Organization in cert | No | Yes | Yes (+ jurisdiction) |
| Certificate Policies OID | 2.23.140.1.2.1 | 2.23.140.1.2.2 | 2.23.140.1.1 |
| Typical cost | Free (Let's Encrypt) | $50–$300/year | $200–$900/year |
| Best for | Blogs, APIs, dev tools | Business websites, SaaS | Banking, regulated industries |
Identifying a DV Certificate
Paste the certificate into the decoder above. Look for the Certificate Policies extension — a DV certificate contains the OID 2.23.140.1.2.1 (the CA/Browser Forum baseline policy for DV). The Subject will contain only CN, with no O (Organization) field. See also: OV SSL certificates and EV SSL certificates.
Ready to inspect a certificate?
Use the free decoder to decode any PEM certificate and see all fields including sans, fingerprints, validity dates, and extensions.
Decode a Certificate