Somewhere in a hosting sales page, tucked between the cheap options and the free ones, there is a certificate costing a few hundred pounds a year with the word “Premium” attached to it. That is usually an EV SSL certificate, and the pitch is that it makes your website look more trustworthy. It is a fair question to ask whether that is still true, and whether a small business should be spending the money.
Short version, and we will unpack it properly: extended validation is a genuinely rigorous check on your company, but the visible reward that used to justify the price tag has largely disappeared from modern browsers. Here is what an EV SSL certificate actually is, what it does, and how to decide honestly whether you need one.
Extended validation is a background check, not better encryption
This is the single most important thing to understand, and it is the bit the sales pages tend to skip over. Every SSL certificate encrypts traffic between your visitor and your server to exactly the same standard. A free certificate and a five-hundred-pound certificate scramble the data identically. There is no such thing as “stronger” encryption you can buy at the checkout.
What you are actually buying with extended validation is identity assurance. The Certificate Authority does not just check that you control the domain; it checks that your business is real. That means verifying your legal entity in official registries (Companies House, in the UK), confirming your registered address, checking you have been trading, and often ringing you on a phone number they have independently sourced rather than the one you gave them.
The certificate that comes out the other end contains verified details about your organisation, not just your domain name. Anyone who inspects it can see that a Certificate Authority stood behind your identity. That is the product.

The three levels of validation, and where EV sits
Certificates come in three flavours, and they differ only in how hard the Certificate Authority looks at you before issuing.
- Domain Validated (DV): the CA confirms you control the domain, usually via an automated DNS or file check. Issued in minutes, often free. Says nothing about who you are.
- Organisation Validated (OV): the CA also confirms your organisation exists and is legitimately registered. Takes a few working days. Your company details are embedded in the certificate.
- Extended Validation (EV): the full works. Legal existence, physical address, operational history, independent telephone verification, and a signed agreement. Takes up to a fortnight and costs considerably more.
- Wildcard and multi-domain variants: these are about coverage (subdomains, multiple domains), not validation level, and can be layered on top of any of the above.
So EV is not a different technology. It is the same technology with a much more thorough vetting process attached.
The green address bar is gone, and that changes everything
Here is the awkward truth that anyone selling you an EV certificate would rather not lead with. For years, the entire commercial case for extended validation was visual: your company name appeared in green, in the browser address bar, next to a padlock. It was a visible trust signal that a competitor with a free certificate could not replicate.
Browser makers have since removed that treatment. Chrome, Firefox, Safari and Edge all now show the same neutral padlock for a DV certificate and an EV certificate. The company name is still inside the certificate, but a visitor has to click the padlock and dig into the details to see it, and almost nobody does that. The research that prompted the change suggested users simply were not noticing or understanding the green bar.
We say this to clients all the time: if you are buying EV because you think customers will see something different, they will not. That benefit no longer exists in the way it once did.
So who should still buy an EV SSL certificate?
Not nobody. There are still real reasons, they are just narrower than the marketing suggests.
Regulated industries are the clearest case. If you work in financial services, insurance, healthcare or legal services, your compliance team or your insurer may require organisation-verified certificates. If it is written into a contract or a policy, the debate is over and you buy the certificate.
Large enterprise procurement is another. If you sell into big organisations, their security questionnaires sometimes ask about certificate validation levels, and having the right answer is easier than arguing the point.
Phishing-heavy sectors have a case too. If your brand is routinely spoofed and you have a security-literate customer base, having verifiable organisational details in your certificate gives your team something concrete to point at.
Warranty coverage matters to some businesses. Paid certificates come with a financial warranty from the Certificate Authority, and EV certificates carry the highest cover. For most small businesses this is a number on a page that will never be claimed, but for some it ticks a box.
Who should not bother, and what to do instead
If you run a local trades business, a consultancy, a restaurant, a small e-commerce shop or a professional services firm, a free auto-renewing domain-validated certificate does everything you need. Your visitors get the padlock. Your data is encrypted. Google is happy. Nobody is checking your validation level.
The money you save is far better spent on things customers genuinely notice:
- Page speed: a fast, well-built site converts better than a slow one with a fancier certificate. Every time.
- Real trust signals: reviews, case studies, named team photos, a proper address and phone number, and clear pricing do vastly more for credibility.
- Sensible security basics: strong admin passwords, two-factor authentication, up-to-date plugins and daily backups protect you far more than certificate paperwork.
- Content that answers questions: the pages that win trust are the ones that solve the customer’s problem before they ring you.
Trust is earned on the page, not in the certificate chain.
How to get an EV certificate if you decide you need one
Get your paperwork straight first
Your company must be properly registered and publicly verifiable. Your registered name, address and status at Companies House need to match exactly what you put on the application. A mismatch is the number one cause of delays.
Make sure you are findable by phone
The Certificate Authority will verify a phone number for your business from an independent source, such as a public directory or a third-party database, and then call it. If your business phone number is not listed anywhere official, sort that out before you apply, or expect to spend a week going back and forth.
Apply and generate the CSR
Buy through your host or a reputable certificate provider, generate a Certificate Signing Request from your server or control panel, and submit the organisational details. Your host’s support team will happily generate the CSR for you.
Complete the validation calls and paperwork
Expect a document request and a phone call. Answer promptly; the clock only moves when you do. Budget one to two weeks, not one to two hours.
Install, then verify properly
Once issued, install the certificate and the full chain, including the intermediate certificate. Then load your site in a private window, click the padlock, and confirm your organisation’s name appears in the certificate details. Run an online SSL checker to confirm the chain is complete.
Best practices for certificates, whichever level you choose
- Automate renewal wherever possible: certificate lifetimes are shrinking, and manual renewal is how sites end up throwing warnings at customers.
- Own the account yourself: the certificate should live in an account your business controls, not a former developer’s personal login.
- Use a shared inbox for notices: renewal reminders sent to one person’s email are reminders waiting to be missed.
- Cover your subdomains: a shop or booking subdomain throwing warnings damages you just as badly as the homepage doing it.
- Force HTTPS site-wide: redirect all HTTP traffic and fix any mixed-content warnings so the padlock stays clean.
- Diary the expiry date: in a shared calendar, thirty days out, every single time.
Common mistakes we see around premium certificates
Believing you are buying better security. You are not; you are buying a background check. If someone tells you a paid certificate encrypts more strongly, be suspicious of everything else they tell you.
Buying EV and then leaving the site full of mixed content, so the padlock breaks anyway. An expensive certificate on a badly configured site is money burnt.
Assuming the green bar still exists. It does not, and any sales page that implies otherwise is out of date at best.
Letting an EV certificate lapse because the validation process takes a fortnight and nobody started it in time. Shorter certificate lifetimes make this harder every year, not easier.
Where certificate validation is heading
Two trends matter. First, certificate lifetimes keep shortening, which pushes the whole industry towards automation; a validation process that takes two weeks of human paperwork sits awkwardly with a certificate that needs replacing frequently. Second, browsers have moved away from rewarding validation level visually, and there is little sign of that reversing.
The practical direction of travel is that identity assurance is becoming something machines and compliance teams check, rather than something your customer sees. For the average small business, that makes the free automated certificate the sensible default and the premium one a compliance purchase rather than a marketing one.
Is an EV SSL certificate more secure than a free one?
No. The encryption is identical. What differs is how thoroughly the Certificate Authority verified who you are before issuing the certificate.
Will customers see my company name in the browser?
Not in the address bar; modern browsers removed that display. Your verified company details are still inside the certificate, but a visitor would need to click the padlock and view the certificate details to find them.
How long does it take to get an EV certificate?
Typically one to two weeks, because a human has to verify your legal entity, your address and an independently sourced phone number. Domain-validated certificates issue in minutes by comparison.
Does an EV certificate help my Google rankings?
No more than any other certificate. HTTPS is a ranking signal, but Google does not distinguish between validation levels. A free certificate gives you the same SEO benefit.
What should a typical small business use?
A free, auto-renewing domain-validated certificate, unless a regulator, insurer or major client contract specifically requires otherwise. Spend the difference on your website and your content.
Your certificate decision checklist
- Check for a requirement: does a regulator, insurer or client contract actually demand organisation or extended validation? If not, you are free to choose.
- Confirm what you have now: click the padlock, view the certificate, see who issued it and at what level.
- Default to free and automatic: a DV certificate that renews itself is the right answer for most small businesses.
- If you do need EV, start early: allow two weeks and get your Companies House details and public phone listing in order first.
- Cover every subdomain: check your shop, blog and booking subdomains, not just the homepage.
- Fix mixed content: no point paying for a certificate if an old http:// image breaks the padlock.
- Diary the renewal: shared calendar, shared inbox, thirty days’ notice.
Contact Us
If you have been quoted for a premium certificate and you are not sure whether it is money well spent, ask someone who has no commission riding on the answer. Nine times out of ten we tell small businesses they do not need it, and we would rather that money went into a faster site or better content that actually brings you enquiries.
Delivered Social builds and looks after websites for small businesses across the UK, and we are perfectly happy to tell you when not to spend money. Get in touch and we will look at your setup, tell you honestly whether an EV SSL certificate makes any sense for you, and make sure whatever you are running renews itself without drama.


































