When to use an SSL Certificate
SSL (Secure Sockets Layer) is the name of the protocol used to establish secure communication between a server and a client. It prevents the interception, tampering and falsification of data such as password, personal details and credit card numbers.
Even though the protocol currently used is called TLS (Transport Layer Security), the term “SSL” continues to be used for Internet security technology, of which TLS represents the evolution.
To ensure a safe browsing experience in which data is protected, the appropriate SSL Certificate issued by a trusted third party, namely a CA (Certification Authority), needs to be installed on a website.
All DV, OV and EV SSL Certificates issued by Actalis are covered by Warranty.
Types of SSL Certificate
There are 4 types of SSL Certificate:
- DV (Domain Validation)
- OV (Organization Validation)
- EV (Extended Validation)
- QWAC (Qualified Website Authentication Certificate)
The types of SSL Certificate differ according to the type of validation, each with their own verification level.
DV SSL Certificate
Confirms ownership or control of the domain by the applicant. A DV SSL Certificate contains the common name of the domain.
Can be issued for:
- Single domain (Single Host): valid for a single domain name such as domainname.extension;
- 1 website and all subdomains (Wildcard): valid for a domain name such as domainname.extension and for all subdomains, normally displayed as *.domainname.extension. For example, shop.companyname.com or area.companyname.com.
- Up to 5 domains (SAN): valid for up to 5 different domain names, such as domainname.extension. For example, companyname.com or companyname.it.
OV SSL Certificate
Involves the same checks as for a DV Certificate, as well as performing checks on the company that owns the domain. An OV SSL Certificate also contains information on the applicant’s organization.
It can be issued for:
- Single domain (Single Host): valid for a single domain name such as domainname.extension;
- 1 website and all subdomains (Wildcard): valid for a domain name such as domainname.extension and for all subdomains, normally displayed as *.domainname.extension. For example, shop.companyname.com or area.companyname.com.
- Up to 5 domains (SAN): valid for up to 5 different domain names, such as domainname.extension. For example, companyname.com or companyname.it.
EV SSL Certificate
This certificate offers the highest level of assurance. In addition to the checks performed for an OV Certificate, the CA carries out more detailed checks, for example, to confirm that the applicant is authorized and represents the organization.
It can be issued for:
- Single domain (Single Host): valid for a single domain name such as domainname.extension;
- Up to 5 domains (SAN): valid for up to 5 different domain names, such as domainname.extension. For example, companyname.com or companyname.it.
QWAC SSL Certificate
This is a qualified digital SSL certificate, issued in accordance with the trust services standards established by EU eIDAS Regulations. Like an EV SSL Certificate, it cannot be issued for individuals.
It can be issued for:
- Single domain (Single Host): valid for a single domain name such as domainname.extension;
- Up to 5 domains (SAN): valid for up to 5 different domain names, such as domainname.extension. For example, companyname.com or companyname.it.
QWAC PSD2 Certificate
The QWAC PSD2 is a qualified certificate compliant with eIDAS and PSD2 RTS requirements that securely identifies the web server of an authorized operator in the payments sector. It is therefore similar to a regular SSL/TLS Server certificate but also attests to the Payment Service Provider (PSP) status of the certificate holder. The certificate includes the PSD2 attributes that identify:
• The regulated entity.
• The supervisory authority.
• The role of Card Issuer (CISP).
• The PSD2 role (AISP / PISP / ASPSP).
For all details, consult the dedicated guide.
Changes to the issuance of SSL certificates with Client Authentication (mTLS)
Starting from 15/06/2026, it will no longer be possible to issue SSL certificates that also allow client authentication.
This means that the SSL certificate installed on a server will no longer be usable to authenticate to another server using client authentication (a concept also known as mutual TLS / mTLS).
Mutual TLS is mainly used in machine-to-machine communications (for example, in payment networks), but it is not required for normal web browsing via browsers or mobile apps.
For mutual TLS to be possible, the SSL certificate used by the client side must include the clientAuth value in the ExtendedKeyUsage field. After the set date, this will no longer be possible for SSL Server certificates; therefore, separate certificates will be required for this purpose.
Use Cases
| CASE | DESCRIPTION | RECOMMENDED PRODUCT |
|---|---|---|
|
SSL certificate with clientAuth and not trusted |
If you need a certificate with clientAuth without the requirement that it be trusted by browsers, an SSL Client certificate is sufficient. |
SSL Client |
|
SSL certificate with clientAuth and trusted |
This option for SSL server certificates is available only until 15 June 2026. After that date, the same requirement can be met exclusively through S/MIME certificates that also include clientAuth. |
S/MIME |
|
SSL Server certificate with clientAuth issued by a qualified eIDAS CA |
In specific contexts, an SSL Server certificate that also includes clientAuth and is issued by a Qualified eIDAS CA listed in the EU Trust List may be required. |
SSL Server QWAC |
|
Authentication certificate compliant with CNS specifications |
If you need a certificate compliant with CNS (National Services Card) specifications, please contact our support team. |
Validity of SSL and trusted QWAC certificates
Starting from March 15, 2026, a new CAB Forum rule will come into effect that reduces certificate validity to approximately 6 months (184 days).
This change is designed to increase web security and requires a more automated certificate management strategy.
Specifically:
- from March 15, 2026 onward, certificates that are issued or renewed will have a maximum validity of 184 days: this means that if you have purchased a one-year certificate, after six months from activation we will continue to guarantee the requested annual coverage at no additional cost, by making available in your customer area a second certificate to be activated.
- certificates issued before March 15, 2026 will not lose validity: they will retain their original duration until their normal expiration date.
Below is the summary timeline of a certificate’s validity:
- 0 – 168 days: the certificate is valid and active;
- 169 – 184 days: in the customer area you will find two certificates:
- the current one nearing expiration;
- the new one to be activated;
- during these 16 days, it is essential to activate the second certificate in order to remain covered for the following months;
- after 184 days: if you have not activated the second certificate in time, you risk losing continuity of annual coverage, but you will still be able to activate the second certificate to be covered for the following months;
- early renewal: if you renew within 184 days, the remaining days are added to the new certificate, for example: certificate renewed on day 169 > duration = 184 + 16 days.
Recommendation: since with the new rule manual certificate management may be impractical, we recommend using automated tools such as ACME to manage renewal automation and avoid the risk of unmanaged expirations and service interruptions.
If, however, you prefer manual management, it is essential to activate the second certificate between the 169th and 184th day after activation.
Domain validation: from March 15, domain validation has a duration of 200 days:
- if the validation is still valid, it is reused;
- if it has expired, it will be necessary to repeat it by following the steps indicated on the website.
For further details, please see the FAQs.
in your browser, disable the blocker, then refresh the page. You can also check your connection and refresh the page.