Back to Blog
team@tinypod.app

SSL/TLS Certificate Types Explained for Self-Hosters

DV, OV, EV, wildcard, SAN — SSL certificate types can be confusing. Here's what self-hosters need to know.

ssltlscertificatessecurity

Certificate Validation Levels


Domain Validation (DV)

Proves you control the domain. No identity verification.

  • Let's Encrypt certificates are DV
  • Good for: Everything. Seriously, DV is fine for 99% of uses.
  • Cost: Free (Let's Encrypt) to $10/year

    • Organization Validation (OV)

    Verifies your organization exists. Certificate includes organization name.

  • Same encryption as DV
  • Added trust: shows verified organization in certificate details
  • Cost: $50-200/year
  • Use for: When customers check certificate details (rare)

    • Extended Validation (EV)

    Extensive verification of the organization. Used to show a green bar in browsers (no longer the case).

  • Same encryption as DV and OV
  • Most expensive, least practical benefit
  • Cost: $100-500/year
  • Use for: Almost never. The green bar is gone.

    • Certificate Scope


    Single Domain

    Covers exactly one domain: example.com

    Does NOT cover: www.example.com (that's a different domain)


    Wildcard

    Covers a domain and all its subdomains: *.example.com

  • Covers: app.example.com, api.example.com, anything.example.com
  • Does NOT cover: example.com itself (need a separate cert or SAN)
  • Does NOT cover: sub.sub.example.com (only one level deep)

    • SAN (Subject Alternative Name)

    One certificate with multiple specific domains listed.

  • Covers: example.com, www.example.com, app.example.com
  • Let's Encrypt supports up to 100 SANs per certificate

    • For Self-Hosters


    Just Use Let's Encrypt

    Free DV certificates with automatic renewal. Let's Encrypt covers:

  • Single domains
  • Wildcard domains (via DNS challenge)
  • SANs

    • Caddy Makes It Easy

    Caddy automatically obtains and renews Let's Encrypt certificates. Zero configuration.


    Wildcard for Self-Hosting

    If you use many subdomains (app1.example.com, app2.example.com), a wildcard certificate is convenient. But individual certificates per domain work just as well.


    Common Issues


    Certificate Not Trusted

    Usually means the certificate chain is incomplete. Ensure your server sends the full chain (certificate + intermediate).


    Certificate Expired

    Let's Encrypt certs last 90 days. Auto-renewal should handle this. If it fails, check that port 80 is open and DNS points to your server.


    Mixed Content

    HTTPS page loads HTTP resources. Browser blocks them. Ensure all URLs use HTTPS.


    Self-Signed Certificates


    Never use in production. Self-signed certs trigger browser warnings and provide no verified identity. Only use for internal/development purposes.