{ "slug": "ssl_certificate_types", "term": "SSL/TLS Certificate Types", "category": "networking", "difficulty": "intermediate", "short": "DV (automated domain validation), OV (organisation verified), EV (deprecated green bar), Wildcard — Let's Encrypt provides free DV with automated 90-day renewal.", "long": "DV: CA verifies domain control via DNS or file challenge; issued in minutes; Let's Encrypt is the standard. OV: CA verifies the organisation is real; 1-3 days. EV: rigorous identity verification; browsers removed the green bar in 2019. Wildcard (*.example.com) covers all first-level subdomains. Certbot automates 90-day renewal via the ACME protocol.", "aliases": [ "DV certificate", "EV certificate", "wildcard certificate", "Let's Encrypt" ], "tags": [ "networking", "security", "tls" ], "misconception": "EV certificates provide significantly better security than DV — both use identical encryption; the difference is identity validation which browsers no longer visually distinguish; DV with HSTS is sufficient for most uses.", "why_it_matters": "Paying for OV/EV when Let's Encrypt DV is sufficient wastes money — understanding types enables choosing the right option for the security requirement.", "common_mistakes": [ "Manual certificate renewal — expires and causes downtime", "Wildcard cert scope — *.example.com does not cover sub.sub.example.com", "Private key not stored securely", "No HSTS header — allows downgrade attacks" ], "when_to_use": [], "avoid_when": [], "related": [ "tls_handshake", "encryption_in_transit", "certificate_transparency" ], "prerequisites": [ "hsts", "certificate_transparency", "tls_handshake" ], "refs": [ "https://letsencrypt.org/docs/certificate-compatibility/" ], "bad_code": "# Manual certificate management — expires, causes downtime:\n# Install cert manually every 12 months\n# Cert expires: users see 'Your connection is not private'\n# Fix: scramble to renew, 2-4 hours downtime", "good_code": "# Let's Encrypt with automatic renewal:\nsudo certbot --nginx -d example.com -d www.example.com\n# Cron auto-renews 30 days before expiry\n\n# HSTS header after cert is working:\n# Strict-Transport-Security: max-age=31536000; includeSubDomains", "quick_fix": "Use Let's Encrypt for automated free DV certificates; wildcard *.example.com covers all subdomains; always automate renewal — manual certificate management causes outages", "severity": "high", "effort": "medium", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/ssl_certificate_types", "html_url": "https://codeclaritylab.com/glossary/ssl_certificate_types", "json_url": "https://codeclaritylab.com/glossary/ssl_certificate_types.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[SSL/TLS Certificate Types](https://codeclaritylab.com/glossary/ssl_certificate_types) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/ssl_certificate_types" } } } }