"Certificate type" means two different things: how much the CA validates, and how many domains the certificate covers. Here is the full picture — and when each type is the right choice.
Two ways to classify certificates
When people say "certificate type" they mean either the validation level (what the CA checked) or the coverage (how many names the certificate applies to). The two axes are independent: a certificate has one validation level and one coverage type. You can decode a certificate to see both at a glance.
By validation: DV, OV, EV
- DV — domain control only. Fast, free, automatable.
- OV — domain + verified organisation.
- EV — thorough legal vetting (but no visible browser badge any more).
The full trade-off is covered in DV vs OV vs EV.
By coverage: single, wildcard, SAN
- Single-domain — one domain, e.g.
example.com. - Wildcard — all subdomains at one level, e.g.
*.example.com. - SAN / multi-domain — several named domains in one certificate.
When to choose which — and the security trade-off — is the subject of single-domain vs wildcard vs SAN.
Other certificate types
- Self-signed — issued by yourself, not trusted externally; for internal testing only.
- Client / mTLS — authenticates the client to the server, not the other way around.
- Code / document signing — signs software or documents, not web traffic.
When to use which?
Most websites: DV + single-domain or SAN. Many uniform subdomains: DV wildcard. Tender requirements for company verification: OV. And whatever the type: keep an eye on when they expire.
How CertControl helps
CertControl records both the validation level and coverage for every certificate, so you can see exactly which types you have in production — and get warned before any of them expire.
Frequently asked questions
How many types of SSL certificates are there?
They are classified on two axes: validation (DV, OV, EV) and coverage (single-domain, wildcard, SAN). Plus self-signed, client/mTLS and signing certificates.
Which certificate type should I use for a website?
For most websites a DV certificate (single-domain or SAN) is the right choice. Wildcard if you have many uniform subdomains.
What is a self-signed certificate?
A certificate you issue yourself. It is not trusted by browsers and should only be used for internal testing, never in production.