ᗕ Back to Blog Home

Do EV certificates provide better encryption than non-EV certificates?

No, EV certificates do not provide better encryption.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

No, they don't. EV certificates verify a different subject from non-EV certs. That subject is the physical and legal existence of your business, rather than a non-EV certificate which typically is focused on the domain name.

While EV have some higher requirements than DV certs (2048 bit RSA and mandatory Certificate Transparency to protect against compromised CAs) - those are also implementable, but not mandatory, on DV certs.

The encyption strength of a certificate is seperate from the validation process. A typical non-EV certificate shows that someone owns a domain: a DV certificate for https://yourcompany.com only proves you have the domain yourcompany.com, but doesn't actually prove who you are. Someone else could get the DV certificate for https://yourcompany.com.fraud.ru and, seeing as they run fraud.ru and there's no proof of identity either, it would look almost identical.

How can I see the subject difference between an EV cert and a non-EV cert in the browser?

Obviosuly, an EV cert shows the identity with a green bar. But you can also see the full subject. In Chrome, click the green bar (EV) or the lock (non-EV) and then Connections, then Certificate Information.

Here's the subject in a non-EV certificate:

Here's the subject in an EV certificate:

How can I see the subject difference between an EV cert and a non-EV cert on the command line?

openssl x509 -in example.com.crt -noout -text | grep Subject
   Subject: OU=Domain Control Validated, CN=billing.example.com
           DNS:billing.example.com, DNS:www.billing.example.com
openssl x509 -in example.com.crt -noout -text | grep Subject
   Subject: jurisdictionOfIncorporationCountryName=GB/businessCategory=Private Organization/serialNumber=09378892, C=GB, ST=City of London, L=London, O=example Limited, CN=billing.example.com, DNS:billing.example.com, DNS:www.billing.example.com

serialNumber=07875247 is a registered company serial number in the country. In this case, it's a UK certificate, so it matches a Companies House entry where the company was registered with the UK national government.

ᗕ Back to Blog Home