SSL Certificate Types for Marketing Agencies: DV, OV, EV, Wildcard, and SAN Explained

Agencies managing client websites encounter SSL certificates issued by different authorities, covering different scopes, and validated to different standards. Most of the time this runs silently in the background. It becomes relevant when a client asks why their certificate costs £200 when a competitor got one for free, when a new site launch requires a certificate decision, or when an expiring certificate needs to be replaced and the replacement needs to match what was there before.

Understanding the certificate types in practical terms — not the CA/Browser Forum specification, but what each type means for an agency managing real client sites — helps agencies answer client questions accurately, make appropriate hosting recommendations, and understand their monitoring obligations.

Domain Validation (DV) Certificates

DV certificates verify one thing: that the applicant controls the domain. The certificate authority checks control via a DNS record, an HTTP file placed at a specific path, or an email to an address associated with the domain. No company name, address, or legal existence is verified. The certificate is issued automatically, typically within minutes.

What they provide. HTTPS encryption and the browser padlock. All modern browsers treat HTTPS connections the same regardless of certificate type from the user's perspective — there is no visible indicator that distinguishes a DV certificate from an OV certificate in the browser bar.

What they do not provide. Any assertion about who operates the site. The certificate says the domain is controlled by the applicant. It says nothing about the organisation.

Which clients they suit. Informational business sites, blogs, marketing landing pages, portfolio sites — any site where the primary requirement is encrypted transmission rather than identity assurance. The majority of agency-managed marketing sites run on DV certificates without issue.

Common issuers. Let's Encrypt (free, 90-day validity, automated renewal), Sectigo, DigiCert, Comodo. Let's Encrypt dominates for managed hosting environments where auto-renewal is configured correctly.

Agency note. Let's Encrypt DV certificates renew every 90 days. Automated renewal works reliably in most environments, but it fails when DNS changes, hosting migrations, or server configuration changes break the renewal mechanism. The short validity window means a failed renewal surfaces quickly — but "quickly" can still mean a client site going down if the failure is not caught by monitoring.

Organisation Validation (OV) Certificates

OV certificates verify domain control plus the legal existence of the organisation. The certificate authority validates the company name, registered address, and phone number against public records (Companies House in the UK, state business registries in the US, or equivalent). A human at the CA reviews the application.

What they provide. HTTPS encryption plus an assertion in the certificate that the named organisation exists and has been verified. This information is visible in the certificate details (the padlock → Connection is secure → Certificate is valid), though it is not displayed in the browser bar itself.

What they suit. Business sites where organisational credibility matters — professional services firms, B2B platforms, e-commerce sites where the company identity in the certificate provides additional assurance. Clients who have previously experienced brand impersonation or who operate in sectors where trust signals matter more often request OV.

Issuance timeline. 1–3 business days. OV is not instant. Factor this into project timelines whenever a new site launch or certificate replacement involves an OV certificate.

Cost. Typically £55–£240 ($70–$300) per year depending on the CA and any reseller pricing.

Agency note. OV certificates are worth recommending to clients in professional services, legal, financial, or healthcare-adjacent sectors where the organisation's credibility is part of the value proposition. For a standard SME marketing site, DV is sufficient.

Extended Validation (EV) Certificates

EV certificates represent the highest validation tier. In addition to domain control and legal existence, the CA requires confirmation of the organisation's physical address, verification of the certificate applicant's identity and authorisation, and in some cases a phone verification call to the organisation's publicly listed number.

What they historically provided. The "green bar" — browsers displayed the company name in the address bar alongside the padlock. This visual indicator was removed by Chrome and Firefox in 2019. Safari followed. In all major modern browsers, EV certificates display identically to OV certificates from a visual standpoint; the additional validation information is visible only in the certificate details.

What they currently provide. The same HTTPS encryption as DV and OV, with the most rigorous identity validation. The certificate itself contains the legal entity name and jurisdiction of incorporation. For some clients and some sectors, the validation process itself — and the ability to reference it in compliance documentation — has value even without the browser display advantage.

Which clients need them. Financial services firms with contractual requirements for EV, organisations subject to specific compliance frameworks that mandate it, and clients who specifically request EV for their own reasons. For standard marketing sites, EV is unnecessary.

Issuance timeline. 3–5 business days. Plan accordingly.

Cost. £120–£480 ($150–$600) per year. Significantly more expensive than OV, with no browser display advantage in modern environments.

Agency note. Recommend EV only when the client has a specific compliance or contractual reason that requires it. The additional cost and issuance time are not justified for most marketing agency clients based on visual differentiation — that differentiation is gone in modern browsers.

Wildcard Certificates

A wildcard certificate covers a primary domain and all single-level subdomains. The format is *.client.com, which covers www.client.com, shop.client.com, api.client.com, staging.client.com, and any other single-level subdomain.

What they cover. All subdomains at the first level beneath the registered domain. One certificate renewal covers all of them.

What they do not cover. The root domain itself (client.com without www) unless the certificate explicitly includes it as a SAN entry. Subdomains of subdomains (app.api.client.com) — a wildcard at *.client.com level does not cover these. If you need to cover app.api.client.com, you need a separate wildcard at *.api.client.com or a SAN certificate that explicitly lists it.

When to recommend them. Clients with multiple subdomains managed in the same hosting environment — e.g., a main site, a shop, a client portal, and a staging environment. Wildcard certificates reduce the number of individual certificates to manage and renew.

Agency note. A wildcard certificate means a single expiry event takes down all covered subdomains simultaneously. This makes the wildcard renewal one of the highest-priority items in the monitoring calendar. A missed renewal on an individual domain certificate affects one subdomain. A missed renewal on a wildcard affects everything under it. Monitor wildcard renewals with the same attention you would give a primary domain.

SAN (Subject Alternative Name) / Multi-Domain Certificates

A SAN certificate lists multiple specific domains in the certificate itself. A single certificate might cover client.com, client.co.uk, client.store, and www.client.com — all explicitly named in the SAN list.

When agencies use them. Clients with multiple TLDs pointing to the same site (international domains, brand protection registrations), clients with domain aliases that serve real traffic, and hosting environments that group multiple distinct sites under a single certificate for operational convenience.

The key constraint. Adding or removing a domain from a SAN certificate requires issuing a new certificate — not a renewal of the existing one. If a client acquires a new domain and wants it added to an existing SAN certificate, the certificate must be reissued, which means going through the validation process again and replacing the existing certificate on the server.

Agency note. SAN certificates require accurate domain inventory management. Agencies that manage SAN certificates need to know exactly which domains are covered and track those domains against the certificate, not just track the certificate itself. When a SAN certificate expires, all covered domains lose HTTPS simultaneously — the blast radius is the same as with wildcards.

What Agencies Should Monitor Regardless of Certificate Type

Certificate type determines validation level and coverage scope. It does not change the monitoring requirements.

Every certificate in a client portfolio — whether it is a free Let's Encrypt DV certificate or an OV wildcard — requires the same monitoring attention:

Expiry date. Alert at 60, 30, and 7 days. Do not rely on the CA's own expiry notifications; they often go to an inbox no one monitors regularly.
Chain validity. The end-entity certificate must chain correctly to a trusted root. Incomplete chains cause connection errors in specific browsers and environments.
Domain coverage. The certificate must cover the exact domain currently serving traffic. A certificate for www.client.com does not cover client.com unless the root is explicitly included. A certificate for *.client.com does not cover shop.api.client.com. Mismatches between the certificate coverage and the traffic routing are a common source of SSL errors after migrations.
Auto-renewal status. For Let's Encrypt certificates, confirm that automated renewal is functioning — not just configured. A misconfigured renewal job silently fails until the certificate expires.

Certificate type is a client decision and a compliance question. Monitoring is an operational requirement that applies uniformly across all types.

→ Platform guide: SSL Monitoring for Squarespace Agencies