SSL certificates are not all the same. The type you use affects what is verified, what the browser shows users, and how automated your renewal process can be. Here is a clear breakdown.
The three validation levels
Domain Validation (DV)
DV certificates verify that whoever requested the certificate controls the domain. This is done via email, DNS record, or HTTP file challenge.
- Issued in minutes
- No business identity verification
- Shows a padlock in the browser, no org name
- Free via Let’s Encrypt, automatically renewed
DV is appropriate for: any WordPress site, blog, internal tool, staging environment.
Organization Validation (OV)
OV certificates verify domain control AND the legal identity of the organization (name, city, country). Certificate authorities manually review documents.
- Issued in 1–3 business days
- Browser shows padlock + org name in certificate details
- Requires annual renewal with revalidation
- Not free
OV is appropriate for: e-commerce, sites handling login credentials where users might check certificate details.
Extended Validation (EV)
EV requires the most rigorous verification: domain control, legal identity, physical existence, and phone number verification. The CA calls a listed phone number for the organization.
- Issued in 5–10 business days
- Used to trigger the green address bar in older browsers (now largely cosmetic — Chromium removed the green bar in 2019)
- Expensive, requires annual revalidation
EV is appropriate for: large financial institutions, sites where the visible org name matters for trust. Most sites do not need it.
Wildcard certificates
A wildcard certificate covers one level of subdomain: *.example.com covers www.example.com, api.example.com, staging.example.com but not deep.example.com.
- Single certificate for many subdomains
- One renewal to manage
- Free via Let’s Encrypt (wildcard issuance requires DNS challenge)
- Private key is shared across all subdomains — if one is compromised, all are
Multi-domain certificates (SAN)
Subject Alternative Name (SAN) certificates cover multiple distinct domain names in one certificate: example.com, example.net, shop.example.com.
- One certificate, multiple domains
- Easier to manage than individual certificates per domain
- Available as DV or OV
Let’s Encrypt: the practical default
Let’s Encrypt issues free DV certificates valid for 90 days. Most hosting providers automate the renewal process so it is invisible.
# Check certificate expiry with OpenSSL
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -datesFor most WordPress sites, a Let’s Encrypt DV certificate with auto-renewal is the correct choice. Do not pay for a basic DV certificate.
When you actually need to pay for a certificate
| Situation | Certificate type |
|---|---|
| WordPress site, blog, portfolio | Let’s Encrypt DV (free) |
| Multiple domains on same certificate | Let’s Encrypt multi-domain DV (free) |
| WooCommerce shop | Let’s Encrypt DV (free) |
| Enterprise portal, users check cert details | OV |
| Very large e-commerce with brand assurance concern | EV |
| Many subdomains, want one renewal | Wildcard DV via Let’s Encrypt |
| EU government or regulated industry | OV or EV, depending on requirements |
Certificate chains and intermediates
A certificate is not just your certificate — it is a chain:
- Your server certificate (your domain)
- Intermediate certificate(s) (signed by the CA)
- Root certificate (stored in the browser/OS)
If the intermediate certificates are not correctly installed on your server, browsers show errors even though your certificate is valid.
Test your certificate chain:
openssl s_client -connect example.com:443 -showcertsOr use ssllabs.com/ssltest for a full analysis.
Mixed content after switching to HTTPS
After enabling HTTPS, you may see “mixed content” warnings — some resources (images, scripts, CSS) are still loading over HTTP.
Fix with WP-CLI:
wp search-replace 'http://example.com' 'https://example.com' --precise --recurse-objectsOr use a plugin like Better Search Replace. Do this after the SSL certificate is correctly installed, not before.