A domain validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the domain name of the applicant has been validated by proving some control over a DNS domain.
The sole criterion for a domain validated certificate is proof of control over whois records, DNS records file, email or web hosting account of a domain. Typically control over a domain is determined using one of the following:
- Response to email sent to the email contact in the domain's whois details
- Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
- Publishing a DNS TXT record
- Publishing a nonce provided by an automated certificate issuing system
A domain validated certificate is distinct from an Extended Validation Certificate in that this is the only requirement for issuing the certificate. In particular, domain validated certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply a particular legal entity controls the domain.
Most web browsers may show a lock (often in grey, rather than the green lock typically used for an Extended Validation Certificate) and a DNS domain name. A legal entity is never displayed, as domain validated certificates do not include a legal entity in their subject.
- Mozilla Firefox historically showed domain validated certificates with a grey lock, but was modified to show a green lock for DV connections after Mozilla launched Let's Encrypt (which only provides domain validated certificates).
- Safari shows domain validated certificates with a grey lock.
- Microsoft Edge displays domain validated certificates with a hollow grey lock.
- Chrome and Chromium display a green lock.
As the low assurance requirements allow domain validated certificates to be issued quickly without requiring human intervention, domain validated certificates have a number of unique characteristics:
- Domain validated certificates are used in automated X.509 certificate issuing systems.
- Domain validated certificates are often cheap or free.
- Domain validated certificates can be generated and validated without any documentation.
- Most of domain validated certificates can be issued instantly.
- "Domain Validated SSL? Why We Don't Offer It". www.digicert.com. Retrieved 2015-09-07.
- "Domain Validated SSL Certificates". www.sslshopper.com. Retrieved 2015-09-07.
- "Issuing Criteria of Domain Validated SSL Certificates (DV SSL)- SSL Retail". sslretail.com. Retrieved 2018-05-21.