ACME automation for OV certificates has been available in Sectigo’s enterprise platform for several years. What changed in 2025-2026 is reseller availability at prices accessible to small and medium-sized businesses. SSL2BUY now offers Sectigo ACME OV at $90/year for a standard domain. The operational case for OV is now different from what it was in 2022 or 2023.
The historical reason many small businesses chose DV over OV was the renewal process: DV renewals automated via Let’s Encrypt or ACME while OV renewals required manually submitting organizational information to the CA. This is no longer a permanent barrier. With Sectigo ACME OV, organizational validation happens once at account setup and ACME handles all subsequent certificate issuance and renewal automatically.
How Sectigo ACME OV Actually Works
The critical difference between standard ACME DV and Sectigo ACME OV is the pre-validation step. DV ACME works without any account-level identity verification: the ACME client proves domain control on each request and the CA issues certificates immediately. OV adds a one-time organizational verification before any ACME certificate issuance can occur.
The ACME OV workflow:
- Step 1 (one-time): purchase the Sectigo ACME OV subscription from an authorized reseller. Complete organizational pre-validation: Sectigo verifies your legal entity name, registered address, and phone number via business registry, D&B, or phone callback. Sectigo assigns an Organization ID to the verified entity.
- Step 2 (one-time): receive External Account Binding (EAB) credentials (Key ID and HMAC key) linking your ACME client to your Sectigo OV account. Configure your ACME client with the Sectigo OV endpoint and your EAB credentials.
- Step 3 (automated): all certificate requests and renewals proceed via ACME without human interaction. The ACME client requests the certificate, proves domain control via HTTP-01 or DNS-01 challenge, and the certificate is issued using the Organization ID from the pre-validated entity. Each issued certificate includes the verified organization name in the Subject field.
- Annual re-verification: under CA/B Forum SC-081v3, organizational validation data (Subject Identity Information) expires after 398 days. Once per year, Sectigo will prompt for organizational re-verification. This is the only recurring manual step.
The organizational re-verification once per year is now required for all OV certificates regardless of ACME use, under SC-081v3’s 398-day SII reuse limit. An organization using standard manual OV renewal and an organization using Sectigo ACME OV both need to reverify their organizational data once per year. ACME OV eliminates the per-certificate renewal manual work; it does not eliminate the annual organizational data refresh, which affects all OV certificate holders equally.
How ACME OV Changes the DV vs OV Decision
Before ACME OV became available at SMB-accessible pricing, the comparison between DV and OV had a clear operational asymmetry:
| Dimension | DV (Let’s Encrypt/ACME) | OV (manual renewal) before ACME OV | OV (Sectigo ACME OV) 2025-2026 onward |
| Initial setup | Minutes: ACME client setup | Days: organizational validation | Days: one-time organizational pre-validation |
| Certificate renewal | Fully automated, no human action | Manual: submit org data, wait 1-3 days per renewal | Automated: ACME handles all renewals; annual org re-verification only |
| Annual renewals needed at 47-day validity (2029) | ~8 automated renewals/year | ~8 manual renewals/year (operationally unsustainable) | ~8 automated renewals/year + 1 annual org reverification |
| Organization name in certificate | No: DV shows only domain name | Yes: verified business name in Subject | Yes: verified business name in Subject |
| Phishing site protection | None: phishing sites get DV certs | Structural: 0% of phishing sites use OV (Zscaler 2024) | Structural: 0% of phishing sites use OV |
| CA site seal | No Sectigo site seal with Let’s Encrypt | Sectigo static site seal | Sectigo dynamic site seal |
| Cost | Free (Let’s Encrypt) | ~$49/year from Certera | ~$90/year from SSL2BUY |
| Warranty | None | $1,000,000 (Sectigo OV) | $1,000,000 (Sectigo OV) |
The previously decisive operational advantage of DV over OV (automated renewal vs manual) is now only a pricing difference. At 47-day validity in 2029, an OV certificate with ACME automation is operationally equivalent to a DV certificate with ACME automation in terms of renewal burden. The remaining difference is the annual organizational re-verification, which applies to all OV certificate holders under SC-081v3.
Why the 47-Day Validity Trajectory Makes ACME OV Relevant Now
At current 199-day certificate validity, the difference between automated and manual renewal is significant but manageable. An organization renewing 5 OV certificates manually 2-3 times per year is spending approximately 10-15 hours annually on certificate renewal administration.
At 47-day validity (effective March 2029), the same 5 certificates require approximately 39 renewals per year. Manual OV renewal at 39 events per year per 5 certificates , nearly 200 annual renewal events , is operationally infeasible for any organization without dedicated certificate management staff.
The organizations that should configure Sectigo ACME OV now rather than continuing with manual OV or switching to DV:
- Organizations with 5 or more OV certificates who are already seeing manual renewal friction at current validity periods
- Organizations that have been on DV specifically to avoid manual OV renewal but want verified business identity in their certificates
- SaaS platforms and development teams deploying OV certificates as part of CI/CD pipelines where manual certificate steps create deployment friction
- Any organization planning infrastructure for 2027-2029 where manual certificate management at 100-day or 47-day validity is not operationally sustainable
How to Configure Sectigo ACME OV
- Purchase a Sectigo ACME OV subscription from an authorized reseller. SSL2BUY currently lists Sectigo ACME OV at $90/year for a standard domain. Wildcard ACME OV pricing varies.
- Complete organizational pre-validation. This is the standard OV validation process: Sectigo verifies your legal entity name, registered address, and a publicly verifiable phone number (D&B, Google Business Profile, or state business registry). Timeline: 1-3 business days for standard validation. Update your D&B listing 48 hours before ordering to accelerate this step.
- Receive EAB credentials and Organization ID from Sectigo or your reseller. Store these securely; they authorize unlimited certificate issuance under your verified organization identity.
- Configure your ACME client with the Sectigo OV ACME endpoint:
# Certbot with Sectigo OV endpoint
certbot certonly –server https://acme.sectigo.com/v2/OV \
–eab-kid YOUR_EAB_KEY_ID \
–eab-hmac-key YOUR_EAB_HMAC_KEY \
-d yourdomain.com –webroot -w /var/www/html
# acme.sh with Sectigo OV endpoint
acme.sh –register-account -m your@email.com –server sectigo \
–eab-kid YOUR_EAB_KEY_ID –eab-hmac-key YOUR_EAB_HMAC_KEY
- Verify the issued certificate contains your organization name: openssl x509 -in cert.pem -noout -subject should show the verified organization name in the O= field.
Sectigo ACME OV ACME secrets (EAB credentials) are scoped to your organization and authorize issuance for any domain assigned to your account. Treat them as high-value secrets: store in a secrets manager (HashiCorp Vault, AWS Secrets Manager), never in version control, and limit access to systems that need to request certificates. Compromised EAB credentials for an OV account allow certificate requests for any of your assigned domains from any server.
Frequently Asked Questions
Can I use Certbot with Sectigo ACME OV, or do I need Sectigo Certificate Manager?
Standard ACME clients including Certbot, acme.sh, Win-ACME, and any RFC 8555-compatible client work with Sectigo’s ACME OV endpoint. Sectigo Certificate Manager is an enterprise product for large-scale certificate management; it is not required for basic Sectigo ACME OV use. The EAB credentials from your reseller and the Sectigo OV ACME server URL are all you need to configure a standard ACME client for automated OV certificate issuance.
What is the difference between Sectigo ACME OV at $90/year and standard Sectigo OV at $49/year from Certera?
Both issue Sectigo OV certificates with verified organization name, $1,000,000 warranty, and identical browser trust. The difference is operational: the $49/year standard OV from Certera requires manual renewal each certificate term (currently approximately every 199 days, shortening to 47 days by 2029). The $90/year ACME OV automates all renewals after the one-time organizational pre-validation. At current 199-day validity with a small certificate portfolio, the $41/year premium may not justify the automation. At 47-day validity with even a small number of certificates, the automation premium is cost-effective relative to staff time.
Does ACME OV work for wildcard certificates?
Yes. Sectigo ACME OV supports wildcard certificates. DNS-01 validation is required for wildcard certificates (as with all ACME wildcard issuance), which requires DNS API access for the domain. Once configured with DNS API access, wildcard OV certificates via ACME renew automatically. Note the instruction from Sectigo’s documentation: wildcard domains should not be assigned to shared ACME accounts due to the broad certificate issuance authority they grant; use a dedicated ACME account for wildcard certificate management.
