WebPKI Observatory
Quantitative analysis of the Certificate Authority ecosystem that underpins TLS on the public internet. Data updated daily from Certificate Transparency logs, CCADB, Mozilla Bugzilla, and CA/Browser Forum records. Last updated 2026-04-05.
CA Market Share
The WebPKI market shows moderate concentration with five CAs controlling 93.6% of issuance volume. Internet Security Research Group leads with 39.6%, followed by Google Trust Services at 15.9% and DigiCert at 14.2%. The CR3 ratio of 69.7% and HHI of 2334 indicate a market between competitive and concentrated, with 80 of 95 trusted CAs operating in the long tail with minimal issuance share.
- Internet Security Research Group: 39.6% of unexpired certificates
- Google Trust Services LLC: 15.9% of unexpired certificates
- DigiCert: 14.2% of unexpired certificates
- GoDaddy: 13.3% of unexpired certificates
- Sectigo: 10.6% of unexpired certificates
The top 3 CAs account for 69.7% of all certificate issuance. The top 5 account for 93.6%. HHI concentration index: 2,334 (above 2,500 is considered highly concentrated). 95 Certificate Authorities are currently trusted by at least one major root program.
CA Compliance Incidents
1,449 incidents across 54 CAs have been recorded, with misissuance (575 incidents) and governance failures (447 incidents) representing the dominant categories. Only 23% of incidents are self-detected by CAs, while external researchers (19%), automated tools (17%), and root programs (4%) drive most discovery, indicating systematic surveillance gaps. Policy failures (166 incidents), disclosure failures (116 incidents), and audit findings (103 incidents) reveal operational immaturity that persists despite the regulatory surface expanding to over 6,600 obligations.
1,449 compliance incidents across 54 Certificate Authorities have been publicly documented in Mozilla Bugzilla since 2014.
- Misissuance: 575 incidents (40%)
- Governance: 447 incidents (31%)
- Revocation: 306 incidents (21%)
- Validation: 121 incidents (8%)
Of these incidents: 166 involved CAs violating their own documented policies, 116 involved failure to disclose issues on time, and 103 were discovered by auditors rather than by the CA itself.
Who discovers CA compliance incidents: root programs find 4%, automated tools (CT log monitors, linters) find 17%, and CAs' own monitoring accounts for only 23%.
CA Distrust Events
16 distrust events have occurred across all browsers, with 14 involving compliance or operational failures and 10 following a pattern of repeated issues rather than isolated incidents. The posture distribution shows 7 cases of negligent noncompliance and 3 of demonstrated incompetence, with only 1 characterized as accidental, indicating that most distrusts result from systematic operational dysfunction. The median 1,185-day distrust runway from announcement to removal provides extended time for certificate replacement but also allows distrusted CAs to continue issuance during transition periods.
16 Certificate Authorities have been removed from browser trust stores since 2011. 14 of these events involved compliance operations failures — inadequate incident response, concealment, or patterns of unresolved issues. 10 had documented recurring patterns of issues across multiple years.
Root Program Governance
Root program oversight coverage has declined sharply, with Chrome covering only 18.4% of 2025's 223 incidents and Mozilla covering 9.9%, down from 67.8% and 78.0% respectively in 2019. Microsoft provided zero substantive oversight responses across the entire 1,714-bug corpus despite maintaining 142 exclusive roots in its trust store. This declining engagement creates enforcement gaps where incidents in the operational risk profile go unaddressed, particularly affecting the 80 long-tail CAs that operate below the threshold of consistent root program attention.
Root program oversight coverage as a percentage of all CA compliance bugs: Chrome covered 67.8% in 2019 and 18.4% in 2025. Mozilla covered 78.0% in 2019 and 9.9% in 2025. Microsoft has made 0 governance comments on other CAs' compliance incidents across 1,714 total bugs.
CA/B Forum Ecosystem Participation
56 CA/B Forum members include only 21 active contributors, with 35 members making zero ballot contributions and creating a silent majority that leaves governance in the hands of a small core. Stephen Davidson leads individual participation with 36 ballots proposed, while Sectigo is the most active organizational contributor. This participation gap means that ballot development since 2022 has produced 0 substantive changes to the regulatory obligations framework despite the compliance surface reaching 6,651 requirements, reflecting governance gridlock in an ecosystem where operational readiness continues to decline.
Of 56 CA/Browser Forum CA members, 21 have recorded community contributions and 35 have made no recorded public contribution to Bugzilla, ballot proposals, or bug filing.
Most active organizations: Sectigo, DigiCert, HARICA, Let's Encrypt, iSigma.
Geographic Distribution
US-incorporated CAs dominate the WebPKI with 89% of global issuance despite representing only 16 of 95 trusted CAs. European CAs account for 48 operators but hold just 11% issuance share, while Asia-Pacific's 17 CAs collectively represent 0.04% of the market. This geographic concentration creates infrastructure dependency on US-based entities and exposes the global WebPKI to jurisdiction-specific legal and regulatory frameworks that could compel certificate issuance or revocation.
- United States: 16 CAs, 89.0% of certificate issuance
- Europe: 48 CAs, 10.9% of certificate issuance
- Asia-Pacific: 17 CAs, 0.0% of certificate issuance
- Americas: 3 CAs, 0.0% of certificate issuance
- Middle East / Africa: 6 CAs, 0.0% of certificate issuance
Government-Operated Certificate Authorities
32 government-operated or state-owned CAs hold trust store inclusion but account for only 0.05% of issuance, representing latent capacity rather than active market participation. These government CAs span regions including China, Russia, and Europe, raising questions about oversight independence and potential use for state surveillance or traffic interception. Their minimal current usage masks the technical capability to issue trusted certificates at scale if activated by state directive.
32 government-operated or state-owned Certificate Authorities hold trust in major browser root stores, accounting for 0.1% of certificate issuance.
Machine-readable dataset (JSON, ~68K tokens, updated daily)