Let’s Encrypt example certificate on Firefox 94 screenshot

A domain validated certificate (DV) is an

X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure ...

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...

typically used for

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

(TLS) where the domain name of the applicant is validated by proving some control over a

DNS domain The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

. Domain validated certificates were first distributed by GeoTrust in 2002 before becoming a widely accepted method.

Issuing criteria

The sole criterion for a domain validated certificate is proof of control over whois records, DNS records file, email or web hosting account of a domain. Typically control over a domain is determined using one of the following: * Response to email sent to the email contact in the domain's whois details * Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.) * Publishing a DNS TXT record * Publishing a

nonce Nonce may refer to: * Cryptographic nonce, a number or bit string used only once, in security engineering * Nonce word, a word used to meet a need that is not expected to recur * The Nonce, American rap duo * Nonce orders, an architectural term ...

provided by an automated certificate issuing system A domain validated certificate is distinct from an

Extended Validation Certificate An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as ...

in that this is the only requirement for issuing the certificate. In particular, domain validated certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply a particular legal entity controls the domain.

User interface

As of 2020, all major browsers user interfaces display EV and OV and DV certificates identically, but provide options to query the type of certificate via multiple clicks.

Characteristics

As the low assurance requirements allow domain validated certificates to be issued quickly without requiring human intervention, domain validated certificates have a number of unique characteristics: * Domain validated certificates are used in automated X.509 certificate issuing systems, such as

Let's Encrypt Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used ...

. * Domain validated certificates are often cheap or free. * Domain validated certificates can be generated and validated without any documentation. * Most domain validated certificates can be issued instantly (in less than a minute) via special tools which automate issuing process.

References

{{TLS/SSL Key management Public key infrastructure Transport Layer Security

Issuing criteria

User interface

Characteristics

See also

References