Wednesday, August 8, 2018

SSL certificate types

Speaking of SSL certificate types, usually we have two dimensions to categorize.

From validation dimension, there are three types of SSL certificate available today:
  1. Extended Validation (EV SSL)
  2. Organization Validated (OV SSL) 
  3. Domain Validated (DV SSL)
From domain name dimension, there are also three types of SSL certificate available today:
  1. Single-name (valid for only single domain)
  2. wildcard (valid for all subdomains)
  3. multi-name (valid for multiple domains/subdomains, called SAN or UC certificate)
You can have a wildcard cert * which is valid for all subdomains.
You can have a single-name cert which is only valid for this host
You can have a multi-name cert,, this is called a SAN (Subject Alternative Name) Certificate. They are often called "UC-Certificate" as well.

For example:

When Wildcard SSL certificate is issued for *, you can secure your unlimited number of sub domains over the main domain.

If the Wildcard SSL certificate is issued on *, in that case you can secure all second level subdomains which are listed under the

If you want to secure limited number of different domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.


You may be wondering what the technical difference is between these types. It all comes down to the Subject Alternative Name (SAN) field that is embedded in the certificate when it’s issued.
When a certificate only has one SAN field and it contains a reference to a single website, then it’s a single-domain certificate.
If that one SAN field contains an asterisk in the website name (e.g. * then it’s a wildcard certificate.
If the certificate has many SAN fields, then it’s a multi-domain certificate. Multi-domain certificates sometimes have 100 or more SAN fields (with performance penalty), and some or all of these fields may contain wildcards, creating a hybrid “multi-domain wildcard” certificate.


1 comment:

  1. openssl s_client -connect -showcerts
    openssl s_client -host -port 443