WebPKI Observatory
Quantitative analysis of the Certificate Authority ecosystem that underpins TLS on the public internet. Data updated daily from Certificate Transparency logs, CCADB, Mozilla Bugzilla, and CA/Browser Forum records. Last updated 2026-05-10.
CA Market Share
The WebPKI market is highly concentrated, with the top 5 CAs controlling 93.6% of all issuance. Internet Security Research Group leads at 40.8%, followed by Google Trust Services at 15.8%, DigiCert at 13.6%, GoDaddy at 12.5%, and Sectigo at 11.0%. The remaining 80 CAs in the tail collectively serve just 6.4% of the market. An HHI of 2,396 indicates moderate concentration, with three CAs holding 70.1% combined market share.
- Internet Security Research Group: 40.8% of unexpired certificates
- Google Trust Services LLC: 15.8% of unexpired certificates
- DigiCert: 13.6% of unexpired certificates
- GoDaddy: 12.5% of unexpired certificates
- Sectigo: 11.0% of unexpired certificates
The top 3 CAs account for 70.1% of all certificate issuance. The top 5 account for 93.6%. HHI concentration index: 2,396 (above 2,500 is considered highly concentrated). 95 Certificate Authorities are currently trusted by at least one major root program.
CA Compliance Incidents
Certificate authorities have disclosed 1,466 incidents affecting 54 CAs, with misissuance leading at 583 cases, followed by 451 governance failures, 310 revocation issues, and 122 validation errors. Only 23% of incidents are self-detected, while external researchers, automated tools, and root programs discover the majority of compliance failures. Policy failures account for 168 incidents and disclosure failures for 118, indicating systemic underreporting and weak internal controls across the CA community.
1,466 compliance incidents across 54 Certificate Authorities have been publicly documented in Mozilla Bugzilla since 2014.
- Misissuance: 583 incidents (40%)
- Governance: 451 incidents (31%)
- Revocation: 310 incidents (21%)
- Validation: 122 incidents (8%)
Of these incidents: 168 involved CAs violating their own documented policies, 118 involved failure to disclose issues on time, and 103 were discovered by auditors rather than by the CA itself.
Who discovers CA compliance incidents: root programs find 4%, automated tools (CT log monitors, linters) find 18%, and CAs' own monitoring accounts for only 23%.
CA Distrust Events
Sixteen distrust events have occurred across the CA ecosystem, with 14 stemming from compliance and operational failures rather than cryptographic compromise. Seven cases involved negligent noncompliance, three demonstrated willful circumvention, and three reflected demonstrated incompetence, while ten events followed a pattern of repeated issues rather than isolated incidents. Browsers grant a median runway of 1,185 days between distrust announcement and enforcement, creating extended periods where compromised CAs remain partially trusted.
16 Certificate Authorities have been removed from browser trust stores since 2011. 14 of these events involved compliance operations failures — inadequate incident response, concealment, or patterns of unresolved issues. 10 had documented recurring patterns of issues across multiple years.
Root Program Governance
Root program oversight coverage has collapsed from 67.8% (Chrome) and 78.0% (Mozilla) of incidents in 2019 to just 18.4% and 9.9% respectively in 2025, while Apple dropped from recent engagement to 5.4% and Microsoft maintains zero participation. Chrome has commented substantively on 290 of 718 total oversight bugs, with 109 recent substantive interventions, while Mozilla shows 248 substantive comments across 813 bugs but only 46 recently. This governance withdrawal leaves the majority of CA compliance incidents unaddressed by the trust store operators who grant root privileges, shifting enforcement burden to external researchers and automated monitoring.
Root program oversight coverage as a percentage of all CA compliance bugs: Chrome covered 67.8% in 2019 and 18.4% in 2025. Mozilla covered 78.0% in 2019 and 9.9% in 2025. Microsoft has made 0 governance comments on other CAs' compliance incidents across 1,739 total bugs.
CA/B Forum Ecosystem Participation
The CA/Browser Forum has 56 member organizations, but only 21 contribute actively while 35 maintain zero participation in ballot or policy development. Sectigo leads organizational contribution, and Stephen Davidson has proposed 36 ballots while endorsing just 1, demonstrating concentrated policy leadership. This silent majority pattern means a small group of repeat participants shapes baseline requirements and technical standards for an ecosystem where 80 tail CAs hold full trust privileges but contribute nothing to governance.
Of 56 CA/Browser Forum CA members, 21 have recorded community contributions and 35 have made no recorded public contribution to Bugzilla, ballot proposals, or bug filing.
Most active organizations: Sectigo, DigiCert, HARICA, Let's Encrypt, iSigma.
Geographic Distribution
United States-based CAs dominate the WebPKI with 88.6% of global issuance from just 16 organizations, while 48 European CAs collectively issue 11.4%. Asia-Pacific CAs represent 17 organizations but account for only 0.05% of issuance, and Americas and Middle East/Africa regions contribute negligible volume. This geographic concentration means U.S. legal jurisdiction, corporate governance norms, and regulatory oversight effectively govern nine out of ten HTTPS certificates worldwide.
- United States: 16 CAs, 88.6% of certificate issuance
- Europe: 48 CAs, 11.3% of certificate issuance
- Asia-Pacific: 17 CAs, 0.1% of certificate issuance
- Americas: 3 CAs, 0.0% of certificate issuance
- Middle East / Africa: 6 CAs, 0.0% of certificate issuance
Government-Operated Certificate Authorities
Thirty-one government-operated or state-owned CAs hold root trust despite issuing just 0.06% of public certificates. These CAs span jurisdictions including China, Russia, Turkey, India, and multiple European nations, each subject to domestic legal frameworks that may compel surveillance or interception. The minimal issuance share masks the strategic risk: state actors with root privileges can issue trusted certificates for any domain without detection unless Certificate Transparency logs are monitored.
31 government-operated or state-owned Certificate Authorities hold trust in major browser root stores, accounting for 0.1% of certificate issuance.
Machine-readable dataset (JSON, ~68K tokens, updated daily)