Certificate Authority Market Share 2026: Top SSL CAs Ranked
Certificate authority market share in 2026: Let's Encrypt issues 54.5% of web certificates, Google Trust 13.5%, Sectigo 11.2%. Fresh CT-log data.
Published •17 min read
Let's Encrypt is the largest certificate authority in 2026, issuing 54.5% of all web certificates. It runs well ahead of Google Trust Services at 13.5%, Sectigo at 11.2%, and Amazon Trust Services at 9.2%. Free, automated authorities now issue roughly 77% of every certificate, close to a full reversal of the paid market that ruled a decade ago.
Certificate authority market share in 2026, at a glance
I pulled the numbers for this report straight from Cloudflare Radar's Certificate Transparency feed and worked out each authority's share by hand, from the raw certificate counts. I'm a data analyst at TechnologyChecker, so I spend most of my week inside technographic data, and my first instinct was to check the public issuance ranking against what our own crawl actually finds on live domains. Both views point the same way. Across roughly 4.55 billion certificates issued in the 28 days to 19 June 2026, one authority issues more than half of them.
Certificate authority market share is the split of the world's SSL/TLS certificates among the organizations that issue them. Here is how 2026 ranks by issuance:
| Rank | Certificate Authority | Issuance share | Type |
|---|---|---|---|
| 1 | Let's Encrypt (ISRG) | 54.5% | Free, automated (DV) |
| 2 | Google Trust Services | 13.5% | Free (Google / Cloudflare) |
| 3 | Sectigo (formerly Comodo) | 11.2% | Commercial |
| 4 | Amazon Trust Services | 9.2% | Free (AWS) |
| 5 | GoDaddy | 4.8% | Commercial |
| 6 | DigiCert | 3.5% | Commercial (enterprise) |
| 7 | Microsoft | 1.7% | Platform |
| 8 | SSL.com | 1.1% | Commercial |
| 9 | IdenTrust | 0.2% | Legacy / cross-sign |
| — | Other | 0.3% | — |
Look past the order and one fact dominates. Three of the top four authorities, Let's Encrypt, Google Trust Services, and Amazon Trust Services, hand out certificates for free, automated from request to renewal. Between them they issue 77.2% of everything.
Let's Encrypt is the largest certificate authority by a wide margin
At 54.5% of issuance, Let's Encrypt alone issues more certificates than every other authority combined. The reasons aren't mysterious. Its certificates are free, issuance runs automatically over the ACME protocol, and the certificates expire fast, so every domain gets re-issued many times a year. That last part inflates the raw count, which is why its issuance lead runs even wider than its footprint on live sites.
That footprint is big on its own. When I pulled our detection data, our crawl finds Let's Encrypt on 7.66 million live domains, with another 9.2 million that used it before. The churn base outnumbers the live one, which is exactly what you'd expect from a certificate that rotates every few weeks. The United States is the biggest single market we see at 945,862 domains, then the United Kingdom (239,848) and Brazil (204,774).
Let's Encrypt's own numbers run higher still. The project reports serving 762 million websites, up from 492 million a year earlier, and more than 7 billion certificates issued since 2015. None of these figures contradicts the others. Issuance volume, live-site detection, and a project's own global tally each measure something different, which is the whole reason "Let's Encrypt market share" turns up as four separate numbers.
Why every source quotes a different "market share"
This is the trap in most certificate-authority comparisons. "Market share" has no single definition, and four common lenses give four different numbers for the same authority. A percentage only means something once you know which lens produced it.
| Lens | What it measures | Source | Let's Encrypt figure |
|---|---|---|---|
| Issuance share | Certificates issued in a period | Cloudflare Radar CT logs (Jun 2026) | 54.5% |
| Deployment share | Websites using each CA (known-CA sites) | w3techs | ~68% |
| Detection footprint | Live domains where the CA is detected | TechnologyChecker crawl | 7.66M |
| Global reach | The CA's own reported total | Let's Encrypt | 762M sites |
Issuance share counts certificates, so it rewards authorities that re-issue often, and short-lived automated certs inflate it. Deployment share counts websites instead, which is why a tracker like w3techs puts Let's Encrypt near 68% of the sites whose authority it can name. Detection footprint counts the live domains where a crawler actually sees the authority. Global reach is whatever the authority reports about itself. Every one of them is correct. They answer different questions.
From Comodo to Let's Encrypt: how the SSL market flipped
Search "certificate authority market share" today and the top results still crown Comodo, quoting press releases from 2015. They aren't wrong, just a decade out of date. In February 2015, Comodo claimed 36.4% of the market and Symantec held 31.2%. Back then a domain-validated certificate cost money and took manual steps to install.
Two things ended that era. Let's Encrypt launched late in 2015 and made automated DV certificates free. Then in 2018, browsers distrusted Symantec's certificate business over mis-issuance, and its operations were sold to DigiCert. Comodo rebranded to Sectigo the same year and now issues 11.2%, a third of its old share. Symantec, once the leader, has dropped off the chart.
| Certificate Authority | 2015 (then-leading trackers) | 2026 (issuance share) | Direction |
|---|---|---|---|
| Let's Encrypt | ~0% (launched late 2015) | 54.5% | ▲ |
| Comodo → Sectigo | 36.4% | 11.2% | ▼ |
| Symantec | 31.2% | distrusted (2018) | ▼ |
| Google Trust | — | 13.5% | ▲ |
| Amazon Trust | — | 9.2% | ▲ |
Our own crawl shows the same shift from the demand side, and this is the part issuance logs can't see: who left whom. The biggest flows into Let's Encrypt come from paid certificate brands. 15,848 domains switched over from GeoTrust SSL, 13,412 from RapidSSL, 12,868 from Cloudflare SSL, 8,319 from GlobalSign, and 5,128 from AlphaSSL. The Internet Society's Changing of the Guard in the SSL certificate market lands on the same conclusion from a separate dataset.
| Previous CA | Domains that switched to Let's Encrypt |
|---|---|
| GeoTrust SSL | 15,848 |
| RapidSSL | 13,412 |
| Cloudflare SSL | 12,868 |
| GlobalSign | 8,319 |
| AlphaSSL | 5,128 |
Free vs paid CAs: the 77% that costs nothing
The real divide in 2026 runs between free and paid, not between brands. Let's Encrypt, Google Trust Services, and Amazon Trust Services issue 77.2% of certificates together, and none of them charges for a standard one. Google issues through Google Cloud and backs Cloudflare's universal SSL; Amazon issues through AWS Certificate Manager for anything inside its cloud. Host a site on a major platform and the certificate just shows up, free, as part of the setup.
That pushes paid authorities toward the work automation can't give away: organization validation, the last of the extended-validation business, private PKI, code signing, and certificate lifecycle management for big estates. DigiCert built its position on Symantec's old enterprise book and sits at 3.5% of issuance but a much larger slice of enterprise revenue. GoDaddy's certificate business holds 4.8%, and here our detection data adds something the issuance logs don't show: GoDaddy is bleeding. We track 658,705 live domains on GoDaddy certificates against 3.2 million that have already moved off, and the ones leaving mostly land on Cloudflare (26,247 of them) or Squarespace. Our crawl ranks GoDaddy fifth in its category at 4.51%, almost exactly the 4.8% Radar shows by issuance.
A commercial certificate market still exists as a revenue business. Analyst firms like MarketsandMarkets and Grand View Research size it in the hundreds of millions of dollars with steady growth. That market counts enterprise-services dollars, though, not certificates on the open web. By certificate count, free already won.
RSA vs ECDSA: the quiet crossover
Under the brand rankings, the cryptography itself passed a milestone. In June 2026, ECDSA certificates outnumber RSA for the first time at scale: 53.2% of new certificates use elliptic-curve keys, against 46.8% for RSA. Break it down by exact algorithm and one detail stands out. RSA SHA-256 is still the single most common signature at 44.8%, but the two ECDSA curves together pull ahead of it.
| Signature algorithm | Share of issuance |
|---|---|
| RSA SHA-256 | 44.8% |
| ECDSA SHA-384 | 31.0% |
| ECDSA SHA-256 | 22.3% |
| RSA SHA-384 | 2.0% |
Elliptic-curve keys are smaller and quicker to verify at the same security level, and the free automated authorities issue them by default, so ECDSA climbed as they grew. Our own certificate-transparency analysis caught ECDSA passing RSA back in May; the Radar data here shows the gap still widening through June.
The death of EV, and the rise of short-lived certificates
Two more shifts define the modern market, and they pull the same way: lighter validation, shorter lifetimes.
Extended Validation, the certificate that used to put a company name in a green address bar, has all but vanished from issuance. Domain-validated certificates are 96.4% of the total, organization-validated 3.6%, and EV just 0.001%, about 46,000 certificates out of 4.55 billion. Browsers dropped the EV name display years ago, and issuance followed them down.
Lifetimes fell at the same time. Most certificates now last between 47 and 100 days, and a growing slice live a week or less. That only works because issuance is automated. With the industry heading toward a 47-day cap by 2029, this curve keeps sliding toward the short end.
| Certificate lifetime | Share of issuance |
|---|---|
| 47–100 days | 81.5% |
| 100–200 days | 12.2% |
| 7 days or less | 5.0% |
| 10–47 days | 1.2% |
| Over 200 days | 0.08% |
Wildcard certificates, which cover every subdomain of a domain at once, are 29.3% of issuance. Common, but still a minority, now that per-host automated issuance removed most of the reason to buy one.
Certificates by TLD: .com leads, .dev punches above its weight
I also split the issuance by top-level domain, and second place is the interesting one. Among certificates with an identifiable TLD, .com takes 38.6%, which is no surprise. What is surprising is .dev sitting second at 16.2%, miles ahead of .net (7.6%) and .org (2.7%). The reason is a rule, not popularity. Every .dev domain is on the HSTS preload list, so browsers refuse to open one over plain HTTP. That forces a certificate onto every .dev site, and short lifetimes mean those certificates get re-issued over and over.
| TLD | Share of certificates |
|---|---|
| .com | 38.6% |
| .dev | 16.2% |
| .net | 7.6% |
| .org | 2.7% |
| .de | 2.4% |
| .io | 2.4% |
| .cn | 1.2% |
| .xyz | 1.1% |
| .uk | 1.0% |
The remaining 26.8% is spread across every other TLD. One more shift is worth a mention: about 1% of certificates now cover an IP address directly instead of a domain name, 45.7 million of them in this window. IP-address certificates only became practical once issuance went automated and short-lived, and they're turning up on CDNs and cloud load balancers that serve content straight from an address.
What a website's certificate reveals about its tech stack
A certificate is one of the most reliable signals we have for working out the technology behind a website, and it comes from the same data that sets market share: the issuer and the Subject Alternative Names (SANs). A wildcard certificate from a platform's own authority, or a SAN set shared across thousands of tenants, gives away the host behind a custom domain even when the page itself shows nothing. That's why we score certificate issuer and SAN evidence at 95%+ confidence, the same tier as DNS and well above anything we read from frontend code.
Certificate Transparency logs do more than rank authorities. They're how we find sites at all. Every publicly trusted certificate gets appended to these open, append-only logs, and we read that stream around the clock. A certificate from a known platform's authority triggers domain discovery and queues a crawl, often before the site is linked or indexed anywhere. And because SANs routinely list subdomains, one certificate for app.example.com surfaces a property a homepage crawl would never find.
What actually moves certificate authority market share
Market share here moves for structural reasons, not marketing. Price and automation do most of the work. A free certificate issued in seconds over ACME beats anything that needs payment or manual steps, every time. Platform integration compounds it, because Google, Amazon, and Cloudflare ship certificates as a built-in feature, so their share tracks their cloud footprint rather than any sales effort.
Two forces set the limits. Browser root programs decide which authorities are trusted at all, so a place in Apple, Microsoft, Mozilla, and Google's root stores is the ceiling on anyone's reach, and removal is the fastest way to lose it. Symantec found that out in 2018. Shrinking lifetimes do the rest. As the maximum drifts toward 47 days, manual issuance stops being workable, and more of the market has no real choice but to automate.
How to choose a certificate authority in 2026
For most sites, the market already chose. Use the free automated authority your host or CDN gives you. On Cloudflare, AWS, or Google Cloud, the certificate is provisioned and renewed for you. If you run your own servers, Let's Encrypt with an ACME client is the obvious default, for the same reasons it leads the market.
Paying still makes sense in a few cases. Organization-validated certificates where a verified legal identity is a compliance requirement. Private PKI for internal services. Certificate lifecycle management when you're juggling thousands of certificates at once. Real needs, but a small share of sites.
The one thing I'd weigh is concentration. With three free authorities issuing 77% of certificates, the web leans on a handful of operators and root programs. For most teams the automation is worth it. For critical infrastructure, it's a reason to keep some CA agility, so you can switch issuers fast if one gets distrusted or goes down.
Methodology and data sources
I computed the issuance shares from Cloudflare Radar's Certificate Transparency dataset (the ct/summary endpoints) over the 28 days from 22 May to 19 June 2026, about 4.55 billion certificates. Radar returns raw certificate counts per dimension, so I took each authority's count over the total, then did the same for signature algorithm, validation level, lifetime, wildcards, TLD, and IP-address coverage. TLD shares are computed over the certificates with an identifiable registrable TLD (about 1.9 billion of the window's total), since not every certificate maps cleanly to one.
Three caveats matter. This is issuance share, the count of certificates issued in the window, not the stock of live certificates and not the share of websites. A CA that issues short-lived certificates gets counted again at every renewal. The data also reflects what Cloudflare sees of the public CT logs, a large sample but not the entire web. And the detection figures, the live domains, churn, and country splits, come from our own crawl on the dates noted, which is a separate measurement from CT issuance. For how the logging itself works, see our Certificate Transparency report. Third-party figures (w3techs deployment share, Let's Encrypt's own totals, the 2015 Comodo numbers) are attributed where they appear.
Source: Cloudflare Radar,
radar/ct/summary(radar.cloudflare.com), 22 May to 19 June 2026. Detection and migration data: TechnologyChecker crawl, March to April 2026.
Frequently asked questions
What is the market share of SSL certificates by CA in 2026?
By issuance, Let's Encrypt leads with 54.5% of web certificates, followed by Google Trust Services (13.5%), Sectigo (11.2%), Amazon Trust Services (9.2%), GoDaddy (4.8%), and DigiCert (3.5%), based on Cloudflare Radar Certificate Transparency data for June 2026.
Which is the largest certificate authority?
Let's Encrypt is the largest certificate authority in 2026, issuing 54.5% of all web certificates, more than the next three CAs combined. It overtook the field after launching free, automated certificates in 2015.
What is the hierarchy of certificate authorities?
Certificate authorities work as a chain of trust with three levels. A root CA sits at the top, and its certificate is what browsers and operating systems ship in their trust stores. Root keys stay offline, so the root signs one or more intermediate CAs, and those intermediates issue the leaf (end-entity) certificates that go on actual websites. A browser trusts a site certificate by following the chain from leaf to intermediate to a trusted root.
What companies use Let's Encrypt?
Let's Encrypt is used across every size and sector rather than by a handful of big names, which is what you'd expect from a free, automated CA. Our crawl detects it on 7.66 million live domains, weighted toward the United States (945,862 domains), the United Kingdom, Brazil, France, and the Netherlands. It's the default certificate for anything served behind an ACME-enabled stack or reverse proxy, from solo projects to large platforms.
Who finances Let's Encrypt?
Let's Encrypt is run by the Internet Security Research Group (ISRG), a California nonprofit. It's funded by corporate sponsors and donations rather than by charging for certificates, which is why issuance is free. That sponsor-funded, nonprofit model is a big part of why no commercial CA has managed to undercut it on price.
Why do different sites report Let's Encrypt at 54%, 64%, or 68%?
Because they measure different things. 54.5% is issuance share (certificates issued), w3techs' roughly 68% is deployment share (websites using the CA), and Let's Encrypt's own 762 million is its global site reach. Each is correct for its own definition.
Is Let's Encrypt safe to use for a production website?
Yes. Let's Encrypt certificates use the same encryption and are trusted by the same browser root programs as paid certificates. The only differences are price (free), automation (issued via ACME), and validation level (domain-validated), and none of those affects the strength of the encryption.
What happened to Comodo and Symantec?
Comodo's certificate business rebranded to Sectigo in 2018 and now issues 11.2% of certificates, down from a 2015 peak near 36%. Symantec's CA operations were distrusted by browsers in 2018 over mis-issuance and were sold to DigiCert.
Are most certificate authorities free now?
By certificate volume, yes. The three free, automated CAs, Let's Encrypt, Google Trust Services, and Amazon Trust Services, issue about 77% of all certificates. Paid CAs concentrate on organization validation, private PKI, and enterprise services.
What is the difference between DV, OV, and EV certificates?
Domain Validated (DV) certificates verify control of a domain and are 96.4% of issuance. Organization Validated (OV) certificates also verify a legal entity (3.6%). Extended Validation (EV) certificates add the strictest identity checks but now account for just 0.001% of issuance, after browsers stopped displaying the EV company name.
Why are SSL certificates getting shorter?
Shorter lifetimes limit the damage from a compromised or mis-issued certificate, and they force automation. In 2026, 81.5% of certificates live 47 to 100 days, and the industry is moving toward a 47-day maximum by 2029, which only works when issuance is automated, favoring CAs like Let's Encrypt even further.
Emma Davies
Data Analyst
