Choosing an SSL certificate shouldn't be complicated—but with dozens of options across DV, OV, EV, wildcard, and multi-domain certificates, it's easy to pick the wrong one. This guide walks you through the decision in three straightforward steps.
The decision in 30 seconds:
- Most personal sites and blogs need a DV (Domain Validated) certificate—encryption is identical to pricier options.
- Business sites handling transactions should consider OV or EV for verified organizational identity.
- Multiple domains or subdomains? You need wildcard or multi-domain (SAN) coverage.
Use the SSL Certificate Wizard
Answer 5 quick questions and get a personalized certificate recommendation with a direct purchase link. Takes about 60 seconds.
Start the WizardStep 1 — What Are You Securing?
Before picking a validation level or brand, start with the basics: what exactly needs to be covered by the certificate?
One domain
A single website like example.com. Blogs, portfolios, SaaS apps, landing pages. A standard single-domain certificate covers this.
Subdomains
Multiple subdomains like shop.example.com, api.example.com. A wildcard certificate covers all subdomains under one level.
Multiple domains
Completely different domains like example.com + example.net. A multi-domain (SAN) certificate covers up to 100+ FQDNs on one cert.
Quick note: Internal or private hostnames (like intranet.local) typically don't need certificates from a public Certificate Authority. Public CAs can only issue certificates for domains you can verify over the public internet.
Step 2 — How Much Identity Trust Do You Need?
All SSL certificates provide identical encryption. The difference is how much the Certificate Authority verifies about you. There are three levels, and the right one depends on your audience's expectations.
DV — Domain Validated
Proves you control the domain. No business identity checks. The CA verifies domain ownership via DNS record, file upload, or email—and issues the certificate, often within minutes.
Best for:
Personal sites, blogs, portfolios, internal tools, staging environments, any site where visitors don't need to verify your organization.
→ Browse DV SSL certificates
OV — Organization Validated
Verifies your organization's legal existence and name. The company name appears in the certificate details. Requires documentation—business registration, phone verification, or a DUNS number.
Best for:
Business websites, B2B portals, e-commerce, SaaS platforms, any site where showing verified company identity matters. See our SSL certificate pricing guide for cost comparisons.
→ Browse OV SSL certificates
EV — Extended Validation
The highest level of identity verification. The CA confirms the legal entity's existence, physical address, operational status, and authorization of the certificate request—including a phone callback.
Best for:
Banks, financial institutions, regulated industries, large e-commerce operations, government websites—any environment where maximum identity assurance is expected or required by compliance.
→ Browse EV SSL certificates
Step 3 — How Many Names Should the Certificate Cover?
Once you've picked your validation level, decide how many hostnames the certificate needs to secure.
Single-domain
Covers one fully qualified domain name (FQDN). For example, example.com. Most single-domain certs also cover www.example.com as a SAN automatically.
Wildcard
Covers unlimited subdomains under one level: *.example.com secures shop.example.com, api.example.com, blog.example.com, and any future subdomains you add. Does not cover second-level subdomains like dev.api.example.com.
Multi-domain (SAN)
Lists multiple different FQDNs on a single certificate using Subject Alternative Names. Can include 100+ domains—ideal for organizations with multiple brands or TLDs. For example: example.com, example.net, brand.org on one cert.
EV Wildcard is not permitted
The CA/Browser Forum Baseline Requirements explicitly prohibit issuing wildcard certificates with Extended Validation. No Certificate Authority can sell you an EV wildcard—it doesn't exist.
What to do instead: Use a separate EV certificate for your main domain (e.g., example.com) combined with a DV or OV wildcard for subdomains. Alternatively, use an EV SAN certificate that lists specific subdomains individually.
Quick Decision Table
Match your situation to a recommendation. This covers the most common scenarios we see.
| Use case | Recommended |
|---|---|
| Personal blog | DV Single |
| SaaS with subdomains | DV Wildcard |
| Business website | OV Single |
| Multi-brand company | OV Multi-Domain (SAN) |
| Online banking / regulated | EV Single |
| E-commerce with subdomains | OV Wildcard + EV for checkout |
Common Mistakes Before You Buy
These come up repeatedly. Avoid them and you'll save time, money, and frustration.
Wrong domain included
Forgetting to include both example.com and www.example.com. Most CAs include both automatically for single-domain certs, but always verify. Use our SSL Checker to confirm what your current certificate actually covers.
Wildcard vs SAN confusion
Wildcard (*.example.com) covers subdomains of one domain. SAN covers different domain names. If you have brand-a.com and brand-b.com, wildcard won't help—you need a multi-domain SAN certificate.
Assuming DV verifies your business
DV only proves domain control. Your company name doesn't appear anywhere in the certificate. If you need visible organizational identity—especially for a business website—you need OV or EV.
Not planning for renewal automation
With certificate lifetimes getting shorter in 2026, manual renewal becomes increasingly risky. Choose a CA that supports ACME automation, or set up monitoring alerts well before expiration.
2026 Update — Why Certificate Lifecycle Changes Matter
The CA/Browser Forum passed Ballot SC-081, which phases in shorter SSL certificate lifetimes starting in 2026. This directly affects how you buy and manage certificates.
March 2026
Maximum validity drops to 200 days
March 2027
Maximum validity drops to 100 days
March 2029
Maximum validity drops to 47 days
The practical impact: more frequent renewals mean automation is no longer optional for most organizations. When choosing a certificate, factor in whether your CA and hosting platform support automated renewal via ACME or similar protocols.
For a deeper look at the timeline and preparation steps, read our guide on certificate lifetime changes in 2026.
Try the Wizard (Recommended Next Step)
If you're still weighing options, our Certificate Finder Wizard walks you through 5 targeted questions and returns a specific recommendation based on your answers—including a direct link to purchase.
The wizard asks:
- What type of certificate do you need? (SSL, code signing, email, or document signing)
- What validation level? (DV, OV, or EV)
- How many domains or subdomains?
- Which Certificate Authority do you prefer?
- What's your top priority? (cost, speed, trust, or features)
The result includes your recommended certificate type, an alternative option, and purchase links.
Use the SSL Certificate Wizard
Answer 5 quick questions and get a personalized certificate recommendation with a direct purchase link. Takes about 60 seconds.
Start the Wizard