CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

SSL/TLS Certificate Types

Networking Intermediate
debt(d7/e3/b3/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). Tools like certbot, ssllabs, ssl-cert-check, and datadog can detect expiry and misconfigurations, but choosing the wrong certificate type (e.g. EV over DV, missing HSTS, wildcard scope misunderstanding) is not automatically flagged — it requires deliberate configuration review or a runtime failure (e.g. cert expiry causing outage, CURLOPT_SSL_VERIFYPEER disabled silently).

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix points to migrating to Let's Encrypt with automated renewal — a pattern replacement that may touch server configs and deployment scripts within one component/service but is not cross-cutting. Fixing manual renewal or adding HSTS is similarly a small, localised change.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to is web contexts only, and the choice of certificate type primarily affects a specific service's TLS configuration. While expiry monitoring and renewal automation must be maintained, the burden is confined to infrastructure/ops for that service and doesn't reshape the broader codebase.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap (a documented gotcha most devs eventually learn)' (t5). The misconception field explicitly calls out that EV certificates are widely believed to provide better security when they do not — browsers no longer visually distinguish them, and the encryption is identical to DV. Additionally, wildcard cert scope (*.example.com not covering sub.sub.example.com) is a well-documented but commonly encountered gotcha.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

DV certificate EV certificate wildcard certificate Let's Encrypt

TL;DR

DV (automated domain validation), OV (organisation verified), EV (deprecated green bar), Wildcard — Let's Encrypt provides free DV with automated 90-day renewal.

Explanation

DV: CA verifies domain control via DNS or file challenge; issued in minutes; Let's Encrypt is the standard. OV: CA verifies the organisation is real; 1-3 days. EV: rigorous identity verification; browsers removed the green bar in 2019. Wildcard (*.example.com) covers all first-level subdomains. Certbot automates 90-day renewal via the ACME protocol.

Common Misconception

EV certificates provide significantly better security than DV — both use identical encryption; the difference is identity validation which browsers no longer visually distinguish; DV with HSTS is sufficient for most uses.

Why It Matters

Paying for OV/EV when Let's Encrypt DV is sufficient wastes money — understanding types enables choosing the right option for the security requirement.

Common Mistakes

  • Manual certificate renewal — expires and causes downtime
  • Wildcard cert scope — *.example.com does not cover sub.sub.example.com
  • Private key not stored securely
  • No HSTS header — allows downgrade attacks

Code Examples

✗ Vulnerable 
# Manual certificate management — expires, causes downtime:
# Install cert manually every 12 months
# Cert expires: users see 'Your connection is not private'
# Fix: scramble to renew, 2-4 hours downtime
✓ Fixed 
# Let's Encrypt with automatic renewal:
sudo certbot --nginx -d example.com -d www.example.com
# Cron auto-renews 30 days before expiry

# HSTS header after cert is working:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
Added 16 Mar 2026
Edited 22 Mar 2026
Views 65

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 3 pings T 1 ping F 5 pings S 4 pings S 3 pings M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 16 Amazonbot 9 Perplexity 6 Ahrefs 4 Google 3 Unknown AI 2 Claude 2 SEMrush 2 ChatGPT 1 Meta AI 1 Sogou 1 Qwen 1
Also referenced
TLS Handshake 52 Encryption in Transit 52 Certificate Transparency Logs 38
How they use it
crawler 46 crawler_json 2
Related categories
networking 1k cryptography 815
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Use Let's Encrypt for automated free DV certificates; wildcard *.example.com covers all subdomains; always automate renewal — manual certificate management causes outages
📦 Applies To
any web
🔗 Prerequisites
🔍 Detection Hints
Self-signed certificate in production; certificate expiry not monitored; no auto-renewal configured; CURLOPT_SSL_VERIFYPEER disabled due to cert issues
Auto-detectable: ✓ Yes certbot ssllabs ssl-cert-check datadog
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: Medium Context: File
CWE-295
✓ schema.org compliant