Do EV certificates provide better encryption than non-EV certificates?

January 25, 2020

No, they don't. EV certificates verify a different subject from non-EV certs. That subject is the physical and legal existence of your business, rather than a non-EV certificate which typically is focused on the domain name.

While EV have some higher requirements than DV certs (2048 bit RSA and mandatory Certificate Transparency to protect against compromised CAs) - those are also implementable, but not mandatory, on DV certs.

The encyption strength of a certificate is seperate from the validation process. A typical non-EV certificate shows that someone owns a domain: a DV certificate for https://yourcompany.com only proves you have the domain yourcompany.com, but doesn't actually prove who you are. Someone else could get the DV certificate for https://yourcompany.com.fraud.ru and, seeing as they run fraud.ru and there's no proof of identity either, it would look almost identical.

How can I see the subject difference between an EV cert and a non-EV cert in the browser?

Obviosuly, an EV cert shows the identity with a green bar. But you can also see the full subject. In Chrome, click the green bar (EV) or the lock (non-EV) and then Connections, then Certificate Information.

Here's the subject in a non-EV certificate:

Here's the subject in an EV certificate:

How can I see the subject difference between an EV cert and a non-EV cert on the command line?

openssl x509 -in example.com.crt -noout -text | grep Subject
   Subject: OU=Domain Control Validated, CN=billing.example.com
           DNS:billing.example.com, DNS:www.billing.example.com

openssl x509 -in example.com.crt -noout -text | grep Subject
   Subject: jurisdictionOfIncorporationCountryName=GB/businessCategory=Private Organization/serialNumber=09378892, C=GB, ST=City of London, L=London, O=example Limited, CN=billing.example.com, DNS:billing.example.com, DNS:www.billing.example.com

serialNumber=07875247 is a registered company serial number in the country. In this case, it's a UK certificate, so it matches a Companies House entry where the company was registered with the UK national government.