Defaults.Exposed

Defaults.Exposed › Reports

Who Issues the Web's TLS Certificates? Two Free CAs Now Own 75% (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data: the issuing CA of every certificate we observed, family-merged (e.g. intermediates folded into their parent), across 197 million certificates. See how we grade.

Free, automated certificates have taken over the web: two free CAs now issue 74.7% of all TLS certificates. Across 197 million certificates, Let's Encrypt alone accounts for 57.2% and Google Trust Services for 17.6%. The paid-certificate market that defined the first two decades of HTTPS has been displaced by free, API-issued certs — a quiet but enormous shift in who underpins web encryption.

The certificate authority league table

Share of observed certificates by issuing CA, as of 2026-06-29:

Certificate authorityShareModel
Let's Encrypt57.2%Free, automated
Google Trust Services17.6%Free, automated
GoDaddy12.0%Registrar/host bundled
Sectigo4.2%Commercial
DigiCert2.0%Commercial

The top two — both free — issue 74.7% between them. Add the registrar/host-bundled certs in third place and a clear majority of the encrypted web is on certificates nobody paid for directly.

Why this happened

Two forces converged: Let’s Encrypt made certificates free and scriptable in 2015, and the ACME protocol let hosts auto-issue and auto-renew them with no human in the loop. Google, Cloudflare, Amazon and the big hosting platforms then baked free issuance into their stacks. The result is that for most site owners a certificate is now an invisible default — provisioned and renewed automatically — rather than an annual purchase.

What the concentration means

Frequently asked questions

Which certificate authority is the most used? Let's Encrypt, at 57.2% of all observed certificates as of 2026-06-29 — followed by Google Trust Services at 17.6%.

Are free certificates as secure as paid ones? For domain-validated TLS — the encryption and browser trust — yes; a free Let’s Encrypt cert and a paid DV cert are cryptographically equivalent. Paid CAs differentiate on organisation validation, warranties and support, not on the strength of the encryption.

Is it risky that two CAs issue most certificates? It centralises trust and operational risk, but both leaders are well-run and the automation has measurably improved certificate hygiene across the web. The systemic-risk concern is real but has so far been outweighed by the reliability gains.

Does my certificate’s CA affect my security grade? No — the grade looks at whether your certificate is valid and trusted, not who issued it. A free, valid cert scores the same as a paid one.

Check your certificate is valid and trusted

The issuer doesn’t matter for your grade — validity does. Check your domain free and private.

Check your domain → · The certificate error report → · Why does my site say “Not Secure”? → · Aggregate data only. Data stored and processed in the EU.