Skip to content
QCecuring Documentation

Certificate Types

Certificate Types

Section titled “Certificate Types”

SSL-CLM supports the management of a wide variety of certificate types, from public trust to private internal PKI.

Validation Levels (Public Trust)

Section titled “Validation Levels (Public Trust)”

When dealing with public CAs (like DigiCert, Sectigo, GlobalSign), certificates are categorized by how thoroughly the “Subject” (you) has been vetted.

1. Domain Validation (DV)

Section titled “1. Domain Validation (DV)”
  • Vetting: Minimal. Checks only that you control the domain name.
  • Method: Automated via HTTP file upload or DNS TXT record (see Validation Workflows).
  • Speed: Minutes.
  • Use Case: Blogs, testing environments, internal tools accessible publicly.
  • Support in SSL-CLM: Fully automated via ACME providers and some API integrations.

2. Organization Validation (OV)

Section titled “2. Organization Validation (OV)”
  • Vetting: Moderate. Checks that your organization exists legally and you are authorized to act for it.
  • Method: Manual paperwork + automated domain check.
  • Speed: 1-3 Days.
  • Use Case: Corporate websites, customer portals, VPN endpoints.
  • Support in SSL-CLM: Supported. Usually requires a one-time vetting setup with the CA.

3. Extended Validation (EV)

Section titled “3. Extended Validation (EV)”
  • Vetting: Strict. Requires extensive legal verification.
  • Method: Manual.
  • Speed: 3-7 Days.
  • Use Case: Banks, high-trust eCommerce.
  • Support in SSL-CLM: Supported, but issuance is slower due to CA processing time.

Certificate Scopes

Section titled “Certificate Scopes”

Single Domain

Section titled “Single Domain”

Secures exactly one FQDN (e.g., www.example.com). It will not secure blog.example.com.

Wildcard (*.example.com)

Section titled “Wildcard (*.example.com)”

Secures the domain and all first-level subdomains.

  • Example: *.google.com secures mail.google.com, drive.google.com.
  • Note: Does not secure nested subdomains (e.g., dev.mail.google.com).
  • Security Warning: If the private key of a wildcard cert is compromised, all subdomains are compromised.

Multi-Domain (SAN)

Section titled “Multi-Domain (SAN)”

Subject Alternative Name (SAN) certificates can secure multiple distinct domains in one file.

  • Example: One cert for example.com, example.net, and my-brand.co.uk.
  • Use Case: Shared hosting environments, Exchange servers.

Private PKI Certificates

Section titled “Private PKI Certificates”

These are certificates issued by your own internal CA (Microsoft CA, EJBCA). They are not trusted strictly by public browsers but are trusted by your employee devices.

  • Client Certificates: Used for identifying users or devices (mTLS), not just servers.
  • Code Signing: Used to sign software executables.
  • SMIME: Used for email encryption and signing.

SSL-CLM specializes in managing these private certificates at massive scale (1M+ certificates).