Netcraft’s 2025 data across hundreds of millions of active SSL certificates shows 94.3% are Domain Validation. OV accounts for 5.5%. EV, once the gold standard for high-trust sites, has fallen to 0.1% of issuance and is declining at roughly 20% per month according to Q1 2026 Certificate Transparency log analysis. The DV dominance is real and the numbers are accurate.
They also tell only half the story. Certificate count and web traffic are different measurements. The 94.3% DV figure counts certificates, not the traffic those sites receive. When SSL researchers measure traffic share by certificate type, a different picture emerges: OV-certified sites, representing only 5.5% of all certificates, account for approximately 27% of all web traffic (SSLInsights, January 2026, citing Netcraft methodology). That is a 5-to-1 traffic-per-certificate ratio compared to DV. The organizations behind those OV certificates serve more users, process more transactions, and carry more commercial weight than their 5.5% certificate share suggests.
Understanding why this ratio exists, and what it means for a business that currently runs on DV, is the purpose of this article.
Why 94% of Certificates Are DV: What Actually Fills That Category
The DV certificate count is driven almost entirely by Let’s Encrypt, which by mid-2025 held approximately 63% of all active SSL certificate share and had issued over one billion free certificates. Let’s Encrypt automated DV issuance completely: a server with Certbot installed provisions and renews certificates without human involvement. This automation infrastructure made free DV certificates the default for every web server, hosting platform, CDN, and website builder on the internet.
The result is a certificate pool populated by every site on the internet that has HTTPS enabled, regardless of purpose or traffic. An accurate description of what the 94.3% DV category contains:
- Personal blogs and hobby sites with minimal traffic
- Staging and development environments
- Parked domains with no content
- Expired or abandoned sites that still serve HTTPS
- Spam and doorway pages with short lifespans
- Phishing sites (Zscaler ThreatLabz 2024: 90.5% of phishing sites use DV certificates; 0% use OV)
- Automated API endpoints and microservices with no public visitors
- Business websites with genuine traffic and legitimate operations
The last category, business websites with genuine traffic, represents the commercial web. It is also the category where a certificate type decision actually matters to outcomes, because it is the category where visitors form trust judgments, complete transactions, and return.
Zscaler ThreatLabz 2024 documented that 90.5% of phishing sites use DV certificates. Zero percent use OV certificates. The reason is structural: DV requires only domain control verification, which takes minutes and requires no business identity. OV requires verified legal entity name, address, and phone number. A criminal cannot pass OV validation without a real business identity. DV’s 94% certificate share includes the entire phishing ecosystem. OV’s 5.5% share contains none of it.
The Traffic Ratio: Why OV Sites Handle 27% of Traffic From 5.5% of Certificates
What does traffic share by certificate type measure?
Traffic share by certificate type measures what proportion of actual web page requests and visits are served by sites using each certificate type, as distinct from the raw count of certificates issued. A single high-traffic OV site serving 50 million visitors per month contributes more to OV traffic share than 50,000 small DV sites each serving 100 visitors per month, even though the 50,000 sites represent 50,000 certificates to the OV site’s one.
The 5-to-1 traffic-per-certificate ratio for OV over DV reflects a concentration effect: the organizations that use OV certificates tend to be larger commercial entities serving more users per domain. Banks, insurance companies, major ecommerce retailers, SaaS platforms, government portals, and media companies disproportionately use OV certificates. These organizations operate a small number of domains but serve enormous traffic volumes.
Consider the certificate math: a major bank might run 10 to 50 OV certificates across its customer-facing domains. Those 10 to 50 certificates serve tens of millions of monthly visits. A personal blog serving 200 monthly visitors has one DV certificate. The bank’s 50 certificates contribute 50 to the OV count. The bank’s 20 million monthly visits contribute 20 million to OV traffic. The blog contributes 1 to DV certificate count and 200 to DV traffic. Scale this dynamic across the commercial web and the traffic ratio follows.
| Certificate type | Share of all certificates (Netcraft 2025) | Approximate share of web traffic (SSLInsights Jan 2026) | Traffic-to-certificate ratio | Characteristic site types |
| DV | 94.3% | ~60% | 0.64x (below proportional) | Personal sites, automated endpoints, hosting default, phishing sites, development environments |
| OV | 5.5% | ~27% | 4.9x (well above proportional) | Banks, ecommerce retailers, SaaS platforms, government portals, B2B services, media companies |
| EV | 0.1% | ~13% (legacy) | 130x (reflects legacy large-site installations) | Formerly used by large financial and ecommerce sites; new EV issuance is declining sharply as of 2026 |
The EV traffic share reflects legacy installations, not active adoption. TechnologyChecker.io’s Q1 2026 CT log analysis of 10.94 billion certificates found only 188,610 EV certificates issued in the entire quarter, declining at approximately 20% per month. EV certificates on high-traffic sites installed years ago still serve traffic, but new EV issuance has almost entirely stopped. For organizations currently evaluating certificate upgrades, OV is the relevant step up from DV. New EV adoption outside of specific regulatory requirements is not a mainstream recommendation for 2026.
Which Category a Business Site Joins With Each Certificate Type
A business site running a free Let’s Encrypt DV certificate is in the same certificate category as a phishing site, a parked domain, and an abandoned WordPress installation. The padlock looks the same. The certificate validation level is the same. A visitor who clicks the padlock to check certificate details sees domain control confirmed and no organizational identity. The certificate provides no evidence that the site is operated by a verified legal entity.
This is not a theoretical risk. APWG Q4 2024 recorded 989,123 phishing incidents in a single quarter. Zscaler documented that phishing sites use DV at the same rate as legitimate businesses. The padlock that once indicated safety has been so thoroughly adopted by malicious actors that browsers (Chrome since 2018, Firefox since 2019) removed the green padlock distinction specifically because it was misleading users into trusting DV-certificated phishing sites.
A business site running OV is in a categorically different segment. OV certificates require the Certificate Authority to verify the legal entity name, registered address, and phone number against independent business databases before issuing. The certificate Subject contains a verified Organization field. A visitor inspecting the certificate details sees the verified legal name of the business operating the site. No phishing site can obtain an OV certificate because no phishing operation can pass CA organizational identity verification.
| Site type | DV certificate | OV certificate |
| Personal blog | Same category | Not applicable |
| Phishing site | Same category | Impossible to obtain |
| Abandoned site with auto-renewing Let’s Encrypt | Same category | Not applicable |
| Development/staging environment | Same category | Uncommon (usually DV or self-signed) |
| Ecommerce store processing payments | Same category as all of the above | Separate, verified-identity category |
| SaaS platform with enterprise customers | Same category as all of the above | Separate, verified-identity category |
| B2B company whose customers inspect certificate details | Same category as all of the above | Separate, verified-identity category |
The Certificate Upgrade Argument for Business Sites
The OV upgrade argument is not primarily about encryption. DV and OV provide identical TLS encryption. The argument is about identity verification and which category a business site sits in when a visitor performs any level of certificate inspection.
Three types of visitors perform certificate inspection or are affected by certificate type:
- Security-conscious customers at checkout: Baymard Institute’s 2024 research found 25% of checkout abandonments cite credit card security concerns. A proportion of those abandoners clicked the padlock before leaving. A DV certificate shows no organizational identity. An OV certificate shows a verified legal entity name. The converting trust signal is the specific, CA-verified business name in the certificate details that a DV certificate structurally cannot provide.
- B2B procurement and security reviews: enterprise procurement teams evaluating SaaS vendors and service providers frequently inspect SSL certificates as part of vendor security assessments. An OV certificate with a verified organization name confirms the vendor is a real, identified legal entity. A DV certificate provides no such confirmation. For B2B companies, certificate type appears in vendor questionnaire checklists at a frequency that DV cannot satisfy.
- Browser and security tooling that surfaces certificate details: some enterprise network security proxies, browser extensions, and security-aware users inspect certificate details as a standard practice. OV’s verified organization name passes this inspection. DV’s absence of organizational identity does not.
What the Upgrade Requires
Upgrading from DV to OV requires purchasing an OV certificate from an authorized CA reseller, completing organizational validation (1 to 3 business days for most jurisdictions), and replacing the installed certificate. The DV certificate is decommissioned; the OV certificate covers the same domains.
OV pricing from authorized resellers in 2026 starts at approximately $30 to $80 per year for a single domain OV certificate. The CA’s validation team verifies the legal entity name, registered address, and phone number. The most common delay is the phone callback; having someone available during CA business hours to take a call from the validation team reduces the 3-day estimate to 1 day.
The organizational identity verified during OV issuance can be reused for 398 days under the current CA/B Forum rules (from March 15, 2026). Subsequent OV certificate reissuances within that period do not require full re-validation, only DCV (domain control) confirmation. The first OV purchase involves the most friction. Subsequent reissuances within the subscription term are substantially faster.
The CA site seal included with OV certificates is the visible on-site expression of OV’s identity verification. A dynamic CA seal placed adjacent to payment fields links to the CA’s validation confirmation page showing the verified organization name. This converts the invisible certificate attribute into a visible checkout trust signal. Deploying the site seal alongside the OV certificate captures the conversion benefit at the point where Baymard’s abandonment data shows security concerns are highest.
Frequently Asked Questions
My hosting provider already gives me a free DV certificate. What specifically does OV add that I am not already getting?
The hosting DV certificate provides HTTPS, the padlock, and TLS encryption. It does not provide a verified organization name in the certificate Subject. When a visitor clicks the padlock on a DV-certificated site and views certificate details, they see domain control confirmed and no organization name. On an OV-certificated site, they see your verified legal entity name confirmed by the CA. OV also includes a CA site seal showing your verified business name that can be displayed on the site, a warranty from the CA, and certificate-level separation from the DV category that includes phishing sites and personal blogs.
Does OV affect Google search rankings?
Google confirmed in 2014 that HTTPS is a ranking signal. Subsequent Google documentation has not differentiated between DV and OV for ranking purposes; HTTPS from any valid certificate satisfies the technical requirement. The SEO case for OV is indirect: OV’s impact on checkout conversion and customer trust affects on-site behavior metrics (time on site, bounce rate, conversion rate) that correlate with rankings, but the certificate type itself does not produce a direct ranking increment over DV.
Is EV worth considering in 2026?
For most businesses, no. EV new issuance has declined to approximately 50,000 certificates per month globally in April 2026, down from higher levels, and is declining at roughly 20% per month per Q1 2026 CT log analysis. The green address bar that once distinguished EV in browsers was removed by Chrome in 2019 and by other major browsers shortly after. EV’s technical identity verification is more thorough than OV, but the visible difference to visitors is now minimal. For regulated industries (financial services, healthcare) where EV is specified in compliance frameworks or enterprise procurement policies, EV remains the required standard. For businesses without those specific requirements, OV at a fraction of EV’s price provides the organizational identity verification that the upgrade decision is based on.
