Subscribe to the Non-Human & AI Identity Journal

Domain Validated Certificate

A domain validated certificate confirms control of a domain name but does not prove the legal identity of the organisation behind it. It provides encryption for the connection, yet it is a weak trust signal for high-assurance transactions such as tax filing or regulated financial workflows.

Expanded Definition

A Domain Validated certificate, often called DV, proves that the requester controls a domain name, usually through DNS, HTTP, or email-based validation. It does not verify the organisation’s legal identity, operational legitimacy, or the authority of the person requesting issuance. In that sense, DV is an ownership check for a domain, not an assurance model for a business.

For NHI and machine identity programs, that distinction matters because a DV certificate can still be perfectly suitable for transport encryption, service-to-service trust bootstrapping, and automated workload deployment. But it is not a strong trust signal for regulated transactions, privileged portals, or cases where counterparty identity must be explicit. Guidance varies across vendors on whether DV certificates are “enough” for internal services, so practitioners should treat the certificate class as one control in a broader trust chain rather than a proof of legitimacy. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces that identity and access controls must be risk-based, not assumed from encryption alone.

The most common misapplication is treating DV issuance as proof of organisational identity, which occurs when teams rely on browser padlock cues to authorise sensitive workflows.

Examples and Use Cases

Implementing DV certificates rigorously often introduces governance overhead, requiring organisations to weigh fast automated issuance against weaker identity assurance and shorter operational review cycles.

  • Internal APIs use DV certificates to encrypt traffic between services, while separate workload identity controls enforce who can call what.
  • Ephemeral test environments issue DV certificates automatically during deployment, then revoke or replace them as infrastructure is destroyed.
  • Public websites use DV certificates for TLS, but checkout, tax, or regulated account actions require stronger organisation validation or additional identity checks.
  • DevOps teams bind certificate issuance to domain ownership automation so that certificate renewal does not become a manual bottleneck, a pattern frequently discussed in NHIMG research on Non-Human Identities.
  • Security teams map DV usage against workload identity standards such as SPIFFE when they need certificate-based trust without pretending the certificate itself proves business identity.

In incident reviews, DV certificates often appear in environments where certificate automation was prioritised but the trust model was not documented, making it hard to explain what the certificate does and does not prove.

Why It Matters in NHI Security

DV certificates are common in machine identity estates, which is exactly why they become risky when inventory, ownership, and lifecycle controls are weak. NHIMG research reports that 57% of organisations lack a complete inventory of their machine identities, 61% still rely on spreadsheets or manual tracking, and only 38% have automated certificate lifecycle management in place. That combination makes certificate sprawl, expiry outages, and over-trust more likely than many teams expect. The SailPoint report on The Critical Gaps in Machine Identity Management highlights how often machine identity governance lags behind growth, while the CISA Zero Trust Maturity Model reminds practitioners that identity evidence must be explicit and continuously evaluated.

Because DV only validates domain control, it can be misused as a proxy for trust in NHI flows that need stronger assurance, especially when certificates are auto-issued at scale and no one reviews the business purpose behind them. Organisations typically encounter the real consequence only after a phishing campaign, service impersonation event, or certificate-related outage, at which point DV scope and lifecycle governance become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers machine identity and certificate lifecycle weaknesses tied to weak assurance.
NIST CSF 2.0 PR.AC-1 Identity proofing and access enforcement should not rely on certificate class alone.
NIST Zero Trust (SP 800-207) AC-2 Zero Trust requires explicit trust decisions beyond possession of a domain certificate.
NIST SP 800-63 IAL2 DV is not equivalent to identity proofing under digital identity assurance concepts.
NIST AI RMF Risk management must account for when cryptographic trust is mistaken for identity trust.

Use higher assurance identity evidence when a workflow needs organisational identity verification.