WebPKI Observatory
Quantitative analysis of the Certificate Authority ecosystem that underpins TLS on the public internet. Data updated daily from Certificate Transparency logs, CCADB, Mozilla Bugzilla, and CA/Browser Forum records. Last updated 2026-04-29.
CA Market Share
Certificate issuance is highly concentrated among a small number of Certificate Authorities.
- Internet Security Research Group: 41.2% of unexpired certificates
- Google Trust Services LLC: 15.1% of unexpired certificates
- DigiCert: 13.8% of unexpired certificates
- GoDaddy: 12.9% of unexpired certificates
- Sectigo: 10.7% of unexpired certificates
The top 3 CAs account for 70.1% of all certificate issuance. The top 5 account for 93.7%. HHI concentration index: 2,416 (above 2,500 is considered highly concentrated). 95 Certificate Authorities are currently trusted by at least one major root program.
CA Compliance Incidents
CA compliance incidents are predominantly process and operations failures, not technical ones.
1,464 compliance incidents across 54 Certificate Authorities have been publicly documented in Mozilla Bugzilla since 2014.
- Misissuance: 581 incidents (40%)
- Governance: 451 incidents (31%)
- Revocation: 310 incidents (21%)
- Validation: 122 incidents (8%)
Of these incidents: 168 involved CAs violating their own documented policies, 118 involved failure to disclose issues on time, and 103 were discovered by auditors rather than by the CA itself.
Who discovers CA compliance incidents: root programs find 4%, automated tools (CT log monitors, linters) find 18%, and CAs' own monitoring accounts for only 23%.
CA Distrust Events
Browser distrust of a CA is the ultimate enforcement action in the WebPKI.
16 Certificate Authorities have been removed from browser trust stores since 2011. 14 of these events involved compliance operations failures — inadequate incident response, concealment, or patterns of unresolved issues. 10 had documented recurring patterns of issues across multiple years.
Root Program Governance
Root programs vary significantly in their oversight engagement.
Root program oversight coverage as a percentage of all CA compliance bugs: Chrome covered 67.8% in 2019 and 18.4% in 2025. Mozilla covered 78.0% in 2019 and 9.9% in 2025. Microsoft has made 0 governance comments on other CAs' compliance incidents across 1,737 total bugs.
CA/B Forum Ecosystem Participation
CABF member participation in community governance is highly concentrated.
Of 56 CA/Browser Forum CA members, 21 have recorded community contributions and 35 have made no recorded public contribution to Bugzilla, ballot proposals, or bug filing.
Most active organizations: Sectigo, DigiCert, HARICA, Let's Encrypt, iSigma.
Geographic Distribution
CA issuance is geographically concentrated.
- United States: 16 CAs, 88.9% of certificate issuance
- Europe: 48 CAs, 11.0% of certificate issuance
- Asia-Pacific: 17 CAs, 0.1% of certificate issuance
- Americas: 3 CAs, 0.0% of certificate issuance
- Middle East / Africa: 6 CAs, 0.0% of certificate issuance
Government-Operated Certificate Authorities
Government and state-owned CAs represent a distinct risk category.
31 government-operated or state-owned Certificate Authorities hold trust in major browser root stores, accounting for 0.1% of certificate issuance.
Machine-readable dataset (JSON, ~68K tokens, updated daily)