Digital Certificates — SAN, Wildcard, DV, OV, EV and SNI

Part 4 of four-part series about digital certificate

SSL certificates

Predominantly, there are three types of SSL certificates

  1. Domain Validation (DV)
  2. Organizational Validation (OV)
  3. Extended Validation (EV)
  1. For Domain Validation (DV) certificates, CA needs minimum verification (email-based authentication may suffice) that the requester owns the domain. CA can verify the ownership¹⁵ of the domain by sending the email to the WHOIS registration email address.
  2. For Organizational Validation (OV) Certificates, CA requires the requester to verify both domain ownership and organization validation like proof of physical presence, telephone verification, etc.
  3. For Extended Validation (EV) Certificates, CA requires the requester to complete multiple verification checks, including domain ownership, verification of the company physical address, financial reviews, phone calls, etc. EV certificates require more stringent checks to protect customers’ medical, financial, and personal data against thefts and breaches and thus provide regulatory compliance for HIPAA, PCI DSS, GDPR, etc.
Chrome and Firefox used a green padlock for an EV certificate
EV certificate for PayPal⁴— previously green padlock used by Chrome and Firefox
EV certificate for PayPal⁴— now only has a grey lock
PayPal⁴ EV certificate shows company and country name
  1. OID 3.6.1.4.1.311.60.2.1.3 — identifies the country where the organization is incorporated
  2. OID 2.5.4.15 — identifies organization is private/public/etc.
OID details for the Subject field for PayPal’s EV certificate
OID details for the Subject field for HDFC’s¹⁶ EV certificate
TLS handshake using SAN certificate
  1. Multi-Domain certificates¹⁴ — one certificate can help secure multiple domains.
  • www.domain.com
  • www.domain2.com
  • secure.domain.com
  • www.domain.org
  • mail.domain.com.net
  • dev.domain2.org
Digicert SAN certificate with server names (websites) listed
example of Multi-Domain aka SAN aka UCC certificates¹⁴
Wildcard certificate
Example of an FQDN with many levels of subdomains
Wild card certificate for google.com
  • *.domain.com
  • *. blog.domain.com
  • *.preview.domain.com
  • *.project1.preview.domain.com
  • *.project2.preview.domain.com
Multi-Domain Wildcard SSL

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Deepak Singh

Deepak Singh

Sales Eng., Consultant, Solutions Architect, Analyst, Hobbyist Coder. 2 Masters — MBA Georgia Tech, MS Analytics. Interested in technology, business & strategy