We Analyzed 8.7 Billion SSL Certificates in Q1 2026 to Detect Technologies No One Else Can See
We process 80% of global CT logs — 8.7B certificates in Q1 2026 — to detect backend technologies invisible to competitors. See the full Q1 2026 CA market share, RSA vs ECDSA trends, and what certificates reveal about tech stacks.
Published •Updated •23 min read
The internet issued 10,940,896,117 SSL/TLS certificates in Q1 2026 — January through March. That's roughly 1,407 certificates every second. As CTO of TechnologyChecker.io, I lead the engineering team that processes approximately 80% of all global certificate transparency log data — about 8.7 billion certificate records in Q1 2026 alone — as part of our technology detection pipeline. This gives us direct visibility into the infrastructure decisions behind every HTTPS connection on the web, and it's the most technically demanding part of our entire technology lookup stack.
Key findings from our Q1 2026 SSL certificate transparency analysis:
- 10.94 billion certificates logged in Q1 2026, down 8.3% from Q4 2025 (11.94B), according to Cloudflare Radar Certificate Transparency
- Let's Encrypt controls 54.4% of all issuance, down sharply from 63.0% in Q4 2025, while Sectigo/ZeroSSL surged 41.2%
- ECDSA now accounts for 42.9% of all certificates, up from 34.5% in Q4 2025 — gaining 8.4 percentage points in a single quarter
- 86.6% of certificates have 47-100 day lifetimes (the 90-day standard)
- 96.8% are Domain Validated (DV), and only 188,610 used Extended Validation
- Microsoft Corporation certificates grew 500% quarter-over-quarter, signaling explosive Azure adoption
- Microsoft Azure now leads .net with 39.1M certificates, overtaking ZeroSSL on the enterprise TLD
This report breaks down the full SSL certificate transparency data for Q1 2026: who issues these certificates, which cryptographic algorithms dominate, what durations are standard, and why these shifts matter for website operators, security teams, and anyone selling into the infrastructure layer. I've spent 15 years building large-scale data systems — including five years on Google's Search team working on crawling and indexing infrastructure — and after architecting TechnologyChecker.io's detection pipeline that scans 50 million+ domains monthly, I can say with confidence that certificate transparency logs are among the richest and most underused signals in technology intelligence. Our competitors, as we've documented in our BuiltWith alternatives analysis, still rely primarily on frontend signals. They're missing the infrastructure layer entirely.
How many SSL certificates are issued per quarter in 2026?
In Q1 2026 (January 1 through March 31), certificate transparency logs recorded 10,940,896,117 new SSL/TLS certificates. The previous quarter (Q4 2025, October through December) logged 11,936,202,619, an 8.3% quarter-over-quarter decrease. That still translates to over 121.6 million certificates per day, or roughly 3.65 billion per month.
Certificate transparency has been mandatory for all publicly trusted certificates in Chrome since April 2018. Every certificate issued by a public CA gets recorded in append-only logs that anyone can audit. Our team at TechnologyChecker.io uses CT logs to identify hosting infrastructure and CDN providers across 50 million+ domains we scan monthly. It's one of our most reliable data sources.
Why does this matter beyond security? Certificate metadata tells you things that JavaScript fingerprinting can't. Which CA a company picked. Which algorithm. Whether they use wildcards. How often they rotate. These choices map directly to cloud providers and automation maturity.
According to Mordor Intelligence, the global Certificate Authority market is valued at $232.27 million in 2026 and projected to reach $396.58 million by 2031, growing at 11.32% CAGR. The sheer volume of certificate issuance we're tracking confirms this isn't slowing down.
Who are the largest Certificate Authorities in 2026?
Ten organizations control most of the global certificate issuance. We pulled this from Cloudflare Radar certificate transparency data for Q1 2026 (January 1 through March 31):
| CA Owner | Q1 2026 Volume | Market Share | Q4 2025 Volume | QoQ Change |
|---|---|---|---|---|
| ISRG (Let's Encrypt) | 5,950,304,369 | 54.4% | 7,522,440,330 | -20.9% |
| Google Trust Services | 1,822,660,520 | 16.7% | 1,789,579,382 | +1.8% |
| Sectigo (ZeroSSL) | 1,282,502,173 | 11.7% | 908,374,971 | +41.2% |
| DigiCert | 720,653,324 | 6.6% | 557,862,457 | +29.2% |
| GoDaddy | 643,592,385 | 5.9% | 630,672,950 | +2.0% |
| Amazon Trust Services | 417,009,827 | 3.8% | 325,676,379 | +28.1% |
| IdenTrust Services | 28,566,186 | 0.3% | 44,309,999 | -35.5% |
| SSL.com | 28,464,106 | 0.3% | 129,257,108 | -78.0% |
| Microsoft Corporation | 20,647,114 | 0.2% | 3,439,582 | +500.3% |
| GlobalSign | 12,049,799 | 0.1% | 11,905,002 | +1.2% |
Four trends stand out:
Let's Encrypt is losing market share fast. Down from 63.0% in Q4 2025 to 54.4% in Q1 2026 — an 8.6 percentage point drop in a single quarter. In absolute terms, ISRG issued 1.57 billion fewer certificates than the prior quarter. That said, renewal timing and short-lived certificate rotation cause natural quarter-to-quarter swings, and Q4 historically sees elevated issuance due to year-end infrastructure provisioning. Still, a 20.9% volume decline is the sharpest quarterly drop we've tracked.
Sectigo/ZeroSSL is surging. Up 41.2% quarter-over-quarter to nearly 1.28 billion certificates. They've firmly established themselves as the third-largest CA owner, now closer to Google Trust Services than ever. ZeroSSL has been pushing hard on free tier expansion and hosting panel integrations, and it's paying off.
Microsoft grew 500%. From 3.4 million to 20.6 million certificates — a six-fold increase in one quarter. That tracks with Microsoft Azure's accelerating cloud adoption. When we see a Microsoft Corporation CA on a domain, it almost always means ASP.NET infrastructure behind it.
SSL.com collapsed 78%. From 129 million to 28 million certificates. The sharpest decline of any CA in our dataset. This likely reflects a shift in hosting panel defaults or a large customer migration away from SSL.com-issued certificates.
We feed CA distribution directly into our detection engine. Amazon Trust Services certificates mean AWS. Google Trust means GCP. Microsoft Azure CAs mean Azure. It's not a guess. Competitors focused on frontend JavaScript detection can't do this.
What are the top issuing Certificate Authorities by volume?
Parent CA owners operate multiple issuing CAs. Looking at the issuing level reveals the RSA-to-ECDSA shift happening in real time:
| Issuing CA | Parent | Q1 2026 Volume | Q4 2025 Volume | QoQ Change |
|---|---|---|---|---|
| R13 (RSA) | Let's Encrypt | 1,960,588,084 | 2,905,069,879 | -32.5% |
| R12 (RSA) | Let's Encrypt | 1,960,257,397 | 2,905,245,239 | -32.5% |
| WE1 | Google Trust | 1,424,115,916 | 1,423,591,197 | +0.04% |
| E7 (ECDSA) | Let's Encrypt | 993,860,966 | 855,590,883 | +16.2% |
| E8 (ECDSA) | Let's Encrypt | 993,801,264 | 855,528,023 | +16.2% |
| ZeroSSL ECC Domain Secure | Sectigo | 914,291,444 | 605,099,820 | +51.1% |
| Go Daddy Secure CA - G2 | GoDaddy | 507,520,723 | 623,930,701 | -18.7% |
| Encryption Everywhere DV TLS CA - G2 | DigiCert | 394,932,862 | 304,795,907 | +29.6% |
| WR1 | Google Trust | 287,764,146 | 271,986,877 | +5.8% |
| Sectigo Public Server Auth CA DV E36 | Sectigo | 250,466,591 | 196,006,151 | +27.8% |
The pattern is dramatic. Let's Encrypt's RSA issuers (R12 and R13) each dropped over 32% while their ECDSA issuers (E7 and E8) grew 16.2%. ZeroSSL's ECC (ECDSA) issuer surged 51.1%, the fastest growth of any major issuing CA. The migration from RSA to elliptic curve cryptography is accelerating faster than ever, and Q1 2026 data makes that undeniable.
Why should you care about which issuing CA shows up on a domain? Because it tells you more than "this site has HTTPS." An R13 certificate means Let's Encrypt RSA, and that correlates heavily with WordPress on shared hosting. A ZeroSSL ECC Domain Secure certificate usually means Cloudflare-integrated hosting. The issuing CA narrows the backend down before we even look at HTTP headers.
What is the single point of failure risk for Let's Encrypt?
ISRG (the parent of Let's Encrypt) issues 54.4% of all SSL/TLS certificates on the internet. One organization controls certificate issuance for more than half the web. That concentration creates real risk — though notably, it's trending in the right direction, down from 63.0% in Q4 2025.
Let's Encrypt certificates have 90-day lifetimes, which means millions need to be renewed every single day. The renewal process is automated through ACME clients like Certbot, and that automation works well. Until it doesn't.
Here's the problem: most ACME client configurations don't include automatic failover to an alternative CA. If Let's Encrypt experiences an extended outage, or a policy change forces revocation at scale (as happened with their CAA rechecking bug in March 2020, which affected 3 million certificates), millions of sites would face certificate expiry with no automated backup plan.
For security teams and site reliability engineers, this is worth tracking. At TechnologyChecker.io, we monitor CA distribution across domains as part of our infrastructure resilience assessment. A client running 100% of their properties on a single CA has a different risk profile than one distributing across two or three providers. We surface this data as part of our technology detection data intelligence.
I'm not saying Let's Encrypt is unreliable. They've built impressive infrastructure. But 54.4% market concentration in any system deserves attention. The good news is that the Q1 data shows the ecosystem is naturally diversifying — Sectigo, DigiCert, and Amazon are all gaining ground. Diversification isn't paranoia. It's engineering.
Which Certificate Authorities dominate which TLDs?
TLD-level CA distribution doesn't get much attention, but it should. We queried TLD-specific certificate transparency data for Q1 2026 and the results reveal some major shifts:
| TLD | #1 CA | Volume | #2 CA | Volume | Key Insight |
|---|---|---|---|---|---|
| .com | ZeroSSL ECC Domain Secure | 250.4M | R13 (Let's Encrypt) | 180.8M | ZeroSSL leads the most popular TLD by 1.4:1 |
| .org | R13 (Let's Encrypt) | 17.1M | R12 (Let's Encrypt) | 17.1M | ZeroSSL (17.1M) now virtually tied with LE |
| .io | R13 (Let's Encrypt) | 18.0M | R12 (Let's Encrypt) | 18.0M | Microsoft Azure emerges at #3 with 9.8M |
| .net | Microsoft Azure RSA TLS CA 04 | 39.1M | ZeroSSL ECC Domain Secure | 34.3M | Microsoft Azure now leads .net |
| .dev | WE1 (Google Trust) | 65.3M | Amazon RSA 2048 M04 | 32.4M | Amazon combined (64.7M) nearly matches Google |
Several things jumped out compared to our previous analysis:
ZeroSSL still dominates .com with 250.4 million certificates, about 1.4x Let's Encrypt's 180.8 million on the same TLD. The gap has narrowed from the 2:1 ratio we reported earlier, suggesting Let's Encrypt is making gains on .com specifically even as it loses overall market share. This dynamic is partly driven by Cloudflare's integration with Sectigo/ZeroSSL for their universal SSL product.
Microsoft Azure now leads .net. This is the biggest TLD-level shift in our Q1 data. Microsoft Azure RSA TLS CA 04 alone issued 39.1 million certificates on .net, taking the #1 position from ZeroSSL (34.3 million). When we detect a Microsoft Azure CA on a .net domain, the probability of an ASP.NET backend exceeds 85%. We've validated that number by cross-referencing with HTTP header analysis.
Microsoft Azure has arrived on .io. The developer/startup TLD that was previously almost entirely Let's Encrypt now shows Microsoft Azure RSA TLS CA 04 at #3 with 9.8 million certificates. This signals a meaningful shift in the startup and SaaS ecosystem toward Azure hosting, a trend our detection pipeline has been picking up since late 2025.
Google and Amazon are neck-and-neck on .dev. Google Trust's WE1 issuer leads with 65.3 million certificates, while Amazon RSA issuers combine for 64.7 million. The .dev TLD (operated by Google) was once clearly Google territory, but Amazon's near-equal presence confirms it's a fully multi-cloud TLD.
The .org TLD is now a three-way tie. Let's Encrypt R13 (17.1M), R12 (17.1M), and ZeroSSL ECC Domain Secure (17.1M) are virtually tied. The non-profit/open-source TLD that was once exclusively Let's Encrypt territory is diversifying fast.
These TLD-CA correlations feed directly into our tech stack predictions. You can't get this from scanning HTML source code.
What percentage of certificates use RSA versus ECDSA in 2026?
The shift from RSA to ECDSA accelerated dramatically in Q1 2026:
| Algorithm | Q1 2026 Volume | Q1 Share | Q4 2025 Share |
|---|---|---|---|
| RSA | 6,243,519,896 | 57.1% | 65.5% |
| ECDSA | 4,697,372,632 | 42.9% | 34.5% |
ECDSA gained 8.4 percentage points in a single quarter — the fastest adoption acceleration we've ever measured. At this rate, ECDSA will surpass RSA before the end of 2026. The signature algorithm breakdown tells a more detailed story:
| Signature Algorithm | Volume | Share |
|---|---|---|
| RSA SHA-256 | 6,003,644,343 | 54.9% |
| ECDSA SHA-384 | 2,932,695,042 | 26.8% |
| ECDSA SHA-256 | 1,713,070,602 | 15.7% |
| RSA SHA-384 | 291,179,995 | 2.7% |
| RSA SHA-512 | 302,495 | ~0% |
| RSA SHA-1 | 51 | ~0% |
Only 51 certificates used SHA-1 in the entire quarter. SHA-1 is effectively dead for TLS.
The technical advantages of ECDSA are measurable. A 256-bit ECDSA key provides equivalent security to a 3,072-bit RSA key, with much smaller certificate sizes. According to SSL.com's ECDSA vs RSA comparison, ECDSA delivers 5-10x faster TLS handshakes and lower bandwidth consumption. That speed difference (100-300 milliseconds per handshake) matters for Largest Contentful Paint. Sites near the 2.5-second LCP threshold can pass or fail Core Web Vitals based on their certificate algorithm alone.
Algorithm choice tells us a lot about the infrastructure behind a domain. ECDSA with SHA-384 usually means modern cloud hosting and automated certificate management. RSA SHA-256 is more common on legacy hosting and shared environments where nobody changed the defaults.
I've been tracking this shift since we first started processing CT logs at scale. The Q1 2026 data confirms what we predicted: ECDSA is on track to overtake RSA within the next two to three quarters. The ZeroSSL ECC issuer's 51.1% growth rate and Let's Encrypt's E7/E8 ECDSA issuers growing while R12/R13 RSA issuers decline are the strongest leading indicators.
How long do SSL certificates last in 2026?
Certificate lifetimes tell you how automated an organization's infrastructure is:
| Duration | Q1 2026 Volume | Share |
|---|---|---|
| 47-100 days | 9,477,167,467 | 86.6% |
| 100-200 days | 902,478,436 | 8.2% |
| 200+ days | 433,534,930 | 4.0% |
| 10-47 days | 46,196,184 | 0.4% |
| 3-7 days | 42,917,542 | 0.4% |
| 3 days or less | 38,321,360 | 0.4% |
| 7-10 days | 280,198 | ~0% |
The 90-day certificate (47-100 day bucket) dominates at 86.6%. This is the standard for Let's Encrypt, Google Trust Services, and ZeroSSL. These three CAs together represent over 82% of the market, so their 90-day default sets the industry norm.
The 38.3 million certificates with lifetimes of 3 days or less are primarily from CDN providers. Cloudflare, for example, rotates edge certificates very frequently as part of their security model. When we detect ultra-short-lived certificates on a domain, it's a reliable signal for CDN-fronted architecture.
The 433.5 million certificates lasting 200+ days (4.0% of total) represent a shrinking segment that will decline rapidly now that the CA/Browser Forum's new policy took effect. According to SSL.com, effective March 11, 2026, SSL/TLS certificate maximum durations reduced to 200 days under the new CA/Browser Forum ballot, with further reductions to 47 days planned by 2029. The 100-200 day bucket grew from 4.1% in Q4 2025 to 8.2% in Q1 2026, as CAs shift issuance from the 200+ day bracket down to comply with the new maximum.
Certificate duration tells us about automation maturity. 90-day certificates with ACME renewal? Modern deployment practices, almost guaranteed. 200+ day certificates? Manual renewal, or a hosting provider that bundles long-lived certs — and a segment that's about to be forced into modernization. The correlation is strong enough that we use it as a detection signal.
What validation levels do certificates use?
The validation level data confirms what many of us in the security industry have been saying for years: Extended Validation is effectively dead.
| Validation Level | Q1 2026 Volume | Share |
|---|---|---|
| Domain Validated (DV) | 10,594,309,303 | 96.83% |
| Organization Validated (OV) | 345,285,805 | 3.16% |
| Unknown | 1,112,399 | 0.01% |
| Extended Validated (EV) | 188,610 | 0.002% |
Only 188,610 Extended Validation certificates were issued out of 10.94 billion total in Q1 2026. That's 0.002%. Chrome and Firefox removed the green address bar for EV certificates in 2019-2020, and usage has cratered since. Users can't visually distinguish DV from EV in modern browsers, which eliminates the primary value proposition EV certificates once offered.
From an SEO perspective, HTTPS is a confirmed Google ranking signal (since 2014), but there's no differentiation between DV, OV, and EV. A free Let's Encrypt DV certificate has the same ranking value as a $1,000 EV certificate. The Google Content Warehouse API leak revealed hasSecureUrl as a binary attribute. It's on or off. No bonus for spending more.
OV certificates at 3.16% serve a different purpose. They're used by organizations that need verified identity in their certificate metadata, often for compliance requirements in finance, healthcare, and government. This is one of our detection signals: an OV certificate on a financial services domain correlates with regulated industry infrastructure.
How do wildcard certificates factor into the market?
Nearly a third of all certificates are wildcards:
| Wildcard Status | Q1 2026 Volume | Share |
|---|---|---|
| Without wildcards | 7,705,305,886 | 70.4% |
| With wildcards | 3,235,590,231 | 29.6% |
A wildcard certificate (*.example.com) covers all subdomains under a single domain. 29.6% is a lot. It tells us that nearly a third of the web runs multi-subdomain architectures: enterprise SaaS platforms, CDN providers, organizations with multiple customer-facing services under one domain.
We use wildcards as a detection input. A wildcard from Amazon Trust Services using ECDSA? Almost always AWS-hosted SaaS on Application Load Balancers. A wildcard from Let's Encrypt using RSA? More likely WordPress multisite or shared hosting. The CA + algorithm + wildcard combination narrows the stack prediction fast.
The wildcard split also tells us about operational maturity. Managing dozens of subdomains with individual certificates is expensive. Wildcards mean centralized infrastructure management, which correlates with DevOps practices and infrastructure-as-code. When we see wildcards, we know the team has invested in automation.
What do certificate expiration patterns reveal?
As of early April 2026, the vast majority of Q1 2026 certificates remain valid:
| Status | Q1 2026 Volume | Share |
|---|---|---|
| Valid | 10,492,396,419 | 95.9% |
| Expired | 448,499,698 | 4.1% |
The 448.5 million certificates that have already expired include ultra-short-lived CDN certificates (38.3 million were 3 days or less at issuance) and early-January certificates approaching the end of their 90-day validity windows. That's roughly 5 million certificates expiring per day — every one a potential problem. Browser warnings scare visitors. API integrations break. Google Search Console flags the domain.
For us, expired certificates are useful in a different way. When a domain's certificates consistently lapse, it's a leading indicator of the domain going dark or changing ownership. We track that as part of our infrastructure health signals.
By contrast, Q4 2025 certificates show 91% already expired when viewed today — which is expected, since most 90-day certificates from October-December 2025 have naturally reached the end of their validity by April 2026. This confirms the rapid rotation cycle that defines modern certificate management.
What does certificate entry type data show?
Certificate transparency logs accept two types of entries: final certificates and pre-certificates.
| Entry Type | Q1 2026 Volume | Share |
|---|---|---|
| Certificate | 7,279,390,912 | 66.5% |
| Pre-certificate | 3,661,505,205 | 33.5% |
Pre-certificates get submitted to CT logs before the final certificate is issued, as defined in RFC 6962. The 33.5% pre-certificate rate increased from 30.5% in Q4 2025, indicating improving CT ecosystem health. CAs submitting pre-certificates let monitors catch misissued certificates before they go live.
Why do we care? Pre-certificates give us advance notice. New domains, new certificates being provisioned, often hours or days before anything goes live. That early signal feeds into our real-time detection pipeline.
Why certificate transparency data matters for technology detection
This is where we do something nobody else does. We processed about 8.7 billion certificate records in Q1 2026 from CT logs. That's roughly 80% of all global CT log data — nearly 2.9 billion per month. No competitor touches this data.
Here's what CT data actually tells our detection engine:
CA selection maps to hosting providers. Amazon Trust Services = AWS. Microsoft Azure CAs = Azure. Google Trust Services = GCP. We've validated these mappings across millions of domains by cross-referencing with DNS records and HTTP headers. It's deterministic, not probabilistic.
Algorithm choices reveal platform age. ECDSA with modern hash algorithms? Updated platform, automated certificate management. RSA SHA-256 on a long-lived certificate? Probably a legacy system nobody's touched in a while.
Certificate duration tells us about automation. 90-day certs with ACME renewal mean modern DevOps. 200+ day manually managed certs mean something very different — and with the new 200-day maximum taking effect, these legacy holdouts are being forced to modernize.
Wildcard patterns expose architecture. A wildcard paired with specific CA and algorithm metadata tells us if a domain runs microservices, a CDN-fronted monolith, or a multi-tenant SaaS platform.
TLD-CA correlations predict stacks. Microsoft Azure CA on a .net domain? Over 85% confidence it's an ASP.NET backend. Let's Encrypt on a .io domain with certain HTTP headers? We can narrow the stack to a handful of candidates. Microsoft Azure now appearing on .io domains at scale? That's a signal of Azure's expanding reach into the startup ecosystem.
Most technology detection platforms check frontend signals: JavaScript libraries, HTML meta tags, cookies, and HTTP headers. Those are valid signals, and we use them too. But they miss the infrastructure layer entirely. You can't see from a page's HTML whether it's hosted on AWS or Azure. You can't tell from a JavaScript bundle whether the organization uses automated certificate management. Backend services like n8n — workflow automation tools that never expose a single line of client-side code — are completely invisible to frontend-only scanners. Our CT log pipeline, combined with DNS and header analysis, detects these backend technologies across thousands of domains. Certificate transparency data gives us that infrastructure visibility, and it's a major reason our technology detection covers 40,000+ technologies while competitors top out at a fraction of that depth.
I've led the engineering effort on this SSL certificate transparency data pipeline since we started building it over two years ago. Drawing on my experience designing crawling infrastructure at Google Search, we architected a distributed stream processing system that handles nearly 2.9 billion records per month. The engineering cost is significant, but the detection accuracy gains are worth it. This is original data and analysis that can't be replicated by scraping homepages.
How does HTTPS adoption affect SEO rankings?
HTTPS has been a confirmed Google ranking signal since 2014. But the relationship between certificates and search rankings is more specific than most guides acknowledge.
HTTPS is a baseline, not a differentiator. According to SSL Dragon, 88% of websites now use SSL/TLS certificates. With that level of adoption, having HTTPS doesn't give you a competitive edge. Not having it penalizes you. The Google Content Warehouse API leak revealed hasSecureUrl as a binary attribute. There's no gradient. It's simply present or absent.
Expired certificates actively hurt rankings. When a certificate expires, browsers display interstitial warnings. Visitors bounce. Those bounces register as badClicks in Google's NavBoost system, which directly demotes pages. An expired certificate doesn't just lose your HTTPS signal. It creates negative engagement signals that compound over time.
Mixed content degrades rankings. A page served over HTTPS that loads images, scripts, or stylesheets over HTTP triggers mixed content warnings. Modern browsers block some mixed content entirely, which can break page functionality and increase Core Web Vitals errors. Google's crawlers check for this.
CA choice doesn't affect rankings. A Let's Encrypt DV certificate and a DigiCert EV certificate have identical ranking value. Google doesn't differentiate between CAs or validation levels for search purposes.
TLS configuration affects Core Web Vitals indirectly. ECDSA certificates with TLS 1.3 produce faster handshakes than RSA with TLS 1.2. The difference is 100-300 milliseconds. For sites near the 2.5-second LCP threshold, that can mean passing or failing Core Web Vitals. We track this in our analytics detection pipeline because sites optimizing for performance tend to adopt modern TLS configurations alongside their frontend optimizations. With ECDSA adoption at 42.9% and accelerating, more sites are benefiting from these performance gains.
For B2B sales teams using technographic data, certificate configuration is a qualifying signal. An organization running ECDSA with automated renewal is more likely to be a mature technology buyer with real budget for developer tools.
Will SSL/TLS certificates last 47 days max by 2029?
Yes. The CA/Browser Forum has approved a phased reduction in maximum certificate lifetimes. According to SSL.com, certificates already dropped to a 200-day maximum as of March 11, 2026. The timeline moves to 100 days by 2027 and 47 days by 2029.
This will force every organization to adopt automated renewal. Manual certificate management can't handle 47-day rotations at scale. The 86.6% of certificates already at 90-day lifetimes won't feel much impact since they're already automated. The 12.2% at 100+ days will need to modernize. Our Q1 data already shows this transition in progress: the 100-200 day bracket doubled from 4.1% (Q4 2025) to 8.2% (Q1 2026) as CAs shift issuance away from 200+ day certificates.
For us, shorter lifetimes mean better data. A domain rotating certificates every 47 days gives us 8 data points per year instead of 1 (for annual certs). More data points mean we can detect technology stack changes, hosting migrations, and infrastructure upgrades faster.
What are certificate transparency logs?
Certificate transparency logs are append-only, cryptographically verifiable records of every SSL/TLS certificate issued by participating Certificate Authorities. Defined by RFC 6962, CT logs were designed to make certificate issuance auditable. If a CA issues a fraudulent or unauthorized certificate for your domain, CT logs provide a public record that monitoring tools can detect.
According to Secybers, there are over 40 active CT logs maintained by organizations including Google, Cloudflare, DigiCert, and others as of 2026. Major logs include Google's Argon, Xenon, and Icarus shards, Cloudflare's Nimbus, and DigiCert's Yeti and Nessie logs.
We ingest data from most of these logs. Processing nearly 2.9 billion records per month requires distributed stream processing, and we've built custom ingestion pipelines that parse certificate metadata in real time: CA information, algorithm details, domain names, validity periods. All of it gets cross-referenced with our DNS resolution, HTTP header analysis, and JavaScript fingerprinting systems.
What tools are available for certificate transparency monitoring?
Several tools provide certificate transparency search and monitoring capabilities, though at very different scales:
- Cloudflare Radar Certificate Transparency provides aggregate statistics and search across CT logs. It's the data source for much of the analysis in this report.
- crt.sh offers free certificate transparency search by domain, operated by Sectigo. Good for individual domain lookups.
- SSLMate Cert Spotter provides monitoring and alerting for certificate changes on domains you own.
- Google Certificate Transparency maintains the specification and operates several CT log shards.
These tools serve different purposes. For individual domain monitoring, crt.sh and Cert Spotter work well. For aggregate analysis at our scale (80% of global CT log data, 50 million+ domains), there's nothing off-the-shelf. We built our pipeline from scratch.
According to CSC Global research, 60% of businesses use three or more SSL providers, and 72% of respondents didn't know the details of upcoming certificate lifetime changes. That gap between complexity and awareness is exactly where monitoring tools and technology intelligence platforms provide value.
Methodology
The data in this report comes from Cloudflare Radar Certificate Transparency monitoring, accessed on April 2, 2026. The primary analysis period covers Q1 2026 (January 1 through March 31, 2026), with quarter-over-quarter comparisons against Q4 2025 (October 1 through December 31, 2025).
Cloudflare Radar monitors major CT logs including Google's Argon, Xenon, and Icarus shards, Cloudflare's Nimbus logs, and DigiCert's Yeti and Nessie logs. TLD-specific data was queried separately through the same interface. A minor data pipeline interruption was noted on January 5-6, 2026 but does not materially affect quarterly totals.
TechnologyChecker.io's CT data processing ingests about 80% of global CT log data (roughly 8.7 billion certificate records in Q1 2026, or nearly 2.9 billion per month). Our pipeline cross-references CT data with DNS records, HTTP headers, JavaScript fingerprints, and HTML patterns across 300 million+ unique domains to detect 40,000+ technologies. All proprietary detection data in this report comes from our internal systems. Market share and volume figures come from Cloudflare Radar.
Certificate Authority market valuations are sourced from Mordor Intelligence (January 2026 report). SSL certificate adoption statistics are from SSL Dragon, sourcing data from January 2026. Enterprise SSL usage statistics are from CSC Global's published research.
David Thomson
CTO