WebPKI Observatory
Quantitative analysis of the Certificate Authority ecosystem that underpins TLS on the public internet. Data updated daily from Certificate Transparency logs, CCADB, Mozilla Bugzilla, and CA/Browser Forum records. Last updated 2026-06-18.
CA Market Share
Five CAs control 93% of certificate issuance, with Internet Security Research Group leading at 39.2%, followed by Google Trust Services at 18.5% and DigiCert at 13.3%. The three-firm concentration ratio stands at 71.11%, while the Herfindahl-Hirschman Index of 2324 indicates moderate concentration by antitrust standards. Despite 90 trusted CAs in root stores, the remaining 76 tail CAs collectively represent less than 7% of the market, creating a stark division between dominant operators and marginalized participants.
- Internet Security Research Group: 39.2% of unexpired certificates
- Google Trust Services LLC: 18.5% of unexpired certificates
- DigiCert: 13.3% of unexpired certificates
- Sectigo: 11.0% of unexpired certificates
- GoDaddy: 10.9% of unexpired certificates
The top 3 CAs account for 71.1% of all certificate issuance. The top 5 account for 93.0%. HHI concentration index: 2,324 (above 2,500 is considered highly concentrated). 90 Certificate Authorities are currently trusted by at least one major root program.
CA Compliance Incidents
CAs have disclosed 1,480 incidents across 54 CAs, with misissuance (586 incidents) and governance failures (457) representing the dominant categories. Only 23% of incidents are self-detected, while external researchers, automated tools, and root programs collectively discover the majority, indicating structural gaps in internal controls. Policy failures (169 incidents) and disclosure failures (120) reveal compliance opacity, while audits detect only 8% of incidents despite their role as the primary external validation mechanism, a gap examined in detail in the audit intelligence findings.
1,480 compliance incidents across 54 Certificate Authorities have been publicly documented in Mozilla Bugzilla since 2014.
- Misissuance: 586 incidents (40%)
- Governance: 457 incidents (31%)
- Revocation: 315 incidents (21%)
- Validation: 122 incidents (8%)
Of these incidents: 169 involved CAs violating their own documented policies, 120 involved failure to disclose issues on time, and 107 were discovered by auditors rather than by the CA itself.
Who discovers CA compliance incidents: root programs find 4%, automated tools (CT log monitors, linters) find 17%, and CAs' own monitoring accounts for only 23%.
CA Distrust Events
Sixteen distrust events across browser root programs reveal that negligent noncompliance (7 events) and compliance operations failures (14 events) drive the majority of trust removal decisions, rather than isolated incidents. Ten distrust events involved a pattern of issues rather than single failures, with a median runway of 1,185 days from final violation to full distrust. Three events were classified as willful circumvention and three as demonstrated incompetence, indicating a spectrum of CA postures toward compliance obligations that extends beyond accidental error.
16 Certificate Authorities have been removed from browser trust stores since 2011. 14 of these events involved compliance operations failures — inadequate incident response, concealment, or patterns of unresolved issues. 10 had documented recurring patterns of issues across multiple years.
Root Program Governance
Root program oversight coverage has collapsed from 67.8% (Chrome) and 78.0% (Mozilla) of incidents in 2019 to 18.4% and 9.9% respectively in 2025, with Apple at 5.4% and Microsoft at 0.0%. Chrome has logged 718 oversight bugs but substantive engagement in only 290, while Mozilla's 814 bugs include just 46 recent substantive actions, indicating declining review depth as incident volume scales. Microsoft's zero participation in public oversight creates a structural accountability gap for the 142 roots it uniquely trusts, while the overall decline suggests root programs cannot sustain coverage of the 223 incidents disclosed in 2025 alone.
Root program oversight coverage as a percentage of all CA compliance bugs: Chrome covered 67.8% in 2019 and 18.4% in 2025. Mozilla covered 78.0% in 2019 and 9.9% in 2025. Microsoft has made 0 governance comments on other CAs' compliance incidents across 1,755 total bugs.
CA/B Forum Ecosystem Participation
The CA/Browser Forum's 56 members include only 21 active contributors, while 35 organizations maintain zero-contribution membership. Sectigo leads organizational participation, while individual Stephen Davidson has proposed 36 ballots and endorsed 1, demonstrating concentrated leadership. This participation gap means ecosystem governance depends on a small subset of members, while the silent majority of CAs benefit from collective trust decisions without contributing to policy development, creating a free-rider dynamic that compounds the governance coverage decline.
Of 56 CA/Browser Forum CA members, 21 have recorded community contributions and 35 have made no recorded public contribution to Bugzilla, ballot proposals, or bug filing.
Most active organizations: Sectigo, DigiCert, HARICA, Let's Encrypt, iSigma.
Geographic Distribution
US-incorporated CAs issue 88.62% of certificates despite representing only 15 of 90 trusted CAs, while Europe hosts 45 CAs but produces just 11.31% of issuance. Asia-Pacific's 17 CAs contribute only 0.06% of volume, revealing extreme geographic concentration in both incorporation and market activity. This concentration intersects with jurisdiction risk, as the majority of certificate issuance operates under US legal frameworks including compelled disclosure obligations and extraterritorial surveillance authorities.
- United States: 15 CAs, 88.6% of certificate issuance
- Europe: 45 CAs, 11.3% of certificate issuance
- Asia-Pacific: 17 CAs, 0.1% of certificate issuance
- Americas: 3 CAs, 0.0% of certificate issuance
- Middle East / Africa: 6 CAs, 0.0% of certificate issuance
Government-Operated Certificate Authorities
Thirty government-operated or state-owned CAs hold root store inclusion but collectively issue only 0.05% of certificates, indicating their trust privileges far exceed their public web presence. These CAs primarily serve domestic government infrastructure and may operate under legal frameworks distinct from commercial operators, including sovereign immunity from certain compliance actions. Their presence in global root stores creates potential jurisdiction and governance conflicts, particularly for CAs incorporated in regions identified as high-risk for compelled disclosure or surveillance.
30 government-operated or state-owned Certificate Authorities hold trust in major browser root stores, accounting for 0.1% of certificate issuance.
Machine-readable dataset (JSON, ~68K tokens, updated daily)