Who Issues the Most SSL Certificates? What Certificate Transparency Data Reveals (2026)

When researching SSL certificates, you'll encounter various statistics about which Certificate Authorities (CAs) issue the most certificates. These numbers can be misleading without proper context. This guide explains how SSL issuance data is collected, what it actually represents, and how to use it when making informed decisions about your website's security.

What Is Certificate Transparency and Why It Exists

Certificate Transparency (CT) is a security standard that creates an open, auditable record of every SSL/TLS certificate issued by publicly-trusted Certificate Authorities. Developed by Google engineers starting in 2013, CT addresses a fundamental problem: before its existence, there was no reliable way to detect when a CA issued an unauthorized or fraudulent certificate.

How CT Logs Work

When a CA issues a certificate, it must submit the certificate to multiple independent CT logs before the certificate can be used. These logs are:

• Append-only – Once a certificate is logged, it cannot be removed or modified
• Cryptographically verifiable – Merkle tree structures ensure log integrity
• Publicly accessible – Anyone can query and monitor the logs
• Operated by multiple organizations – Google, Cloudflare, DigiCert, and others run independent logs

Browser Enforcement

Major browsers enforce CT requirements, rejecting certificates that aren't properly logged:

• Google Chrome – Required since 2018 for all certificates
• Apple Safari – Required for all certificates trusted by Apple platforms
• Microsoft Edge – Follows Chrome's CT policies
• Mozilla Firefox – Enforcing CT for Extended Validation certificates

This browser enforcement means CT data represents a near-complete picture of publicly-trusted certificate issuance—far more reliable than self-reported vendor statistics or marketing claims.

How SSL Certificate Issuance Is Measured (And Why It's Tricky)

Understanding SSL certificate statistics requires knowing what's actually being counted—and the significant caveats that come with different measurement approaches.

Issued vs. Active Certificates

A critical distinction exists between certificates issued and certificates currently active:

• Issued certificates – Total count of all certificates ever created, including expired ones
• Active certificates – Only certificates currently valid and in use

A CA issuing short-lived certificates will show much higher issuance numbers than one issuing longer-validity certificates, even if they secure the same number of websites.

The Re-issuance Factor

Every time a certificate is renewed, it counts as a new issuance. Consider two scenarios:

This means a CA with 90-day certificates will appear to issue 4x more certificates than a CA with annual certificates, even if they secure identical numbers of domains.

Automation Amplification

Automated certificate management (using ACME protocol) makes frequent renewal seamless. Organizations using automation often issue certificates:

• For every deployment or container instance
• With aggressive renewal schedules (e.g., renewing at 60 days remaining)
• For ephemeral environments that spin up and down frequently

This amplifies issuance counts far beyond what's needed to simply "secure websites."

What Public CT Data Shows About SSL Certificate Authorities

Certificate Transparency logs reveal clear patterns in how the SSL market is structured. Rather than focusing on specific percentages (which fluctuate and require careful methodology to calculate accurately), we can identify consistent trends reported across multiple research sources.

High-Level Market Patterns

Industry surveys and CT log analysis from sources like Netcraft, Censys, and academic researchers consistently show these patterns:

Volume vs. Value Distinction

CT data shows that free/automated CAs dominate volume metrics (certificates issued), while commercial CAs dominate value metrics (revenue, enterprise contracts, OV/EV issuance). These are different market segments serving different needs.

According to industry surveys, the OV and EV certificate market—which represents a small fraction of total certificates issued—accounts for a disproportionately large share of industry revenue. This is because these certificates:

• Require organizational vetting (staff time and verification processes)
• Include warranty protection
• Come with support services
• Often include multi-year subscription pricing

Why "Most Issued SSL Certificates" Does NOT Mean "Best Choice"

High issuance volume indicates automation and free pricing—not necessarily that a CA is the best fit for your needs. Here's why issuance statistics shouldn't drive your decision:

DV, OV, and EV Serve Different Purposes

Certificate validation levels exist for specific reasons:

• Domain Validation (DV) – Proves domain control only. Fast, automated, suitable for blogs, personal sites, and internal applications. All free certificates are DV.
• Organization Validation (OV) – Proves domain control plus verifies the organization exists. Required for many business contexts and compliance frameworks.
• Extended Validation (EV) – Most rigorous vetting of organization identity. Required by some regulations; provides highest trust signals.

A CA that issues millions of DV certificates isn't competing in the OV/EV market. Comparing their issuance numbers directly is comparing different products.

Encryption Is the Same

All properly-issued SSL certificates—free or paid, DV or EV—provide identical encryption strength. The cryptographic protection of your users' data doesn't depend on which CA issued the certificate or how much you paid.

What differs is:

• Identity verification level
• Warranty protection against CA errors
• Support availability
• Certificate management features
• Compliance certifications

Business Context Matters

Choosing a certificate based on "most issued" is like choosing a car based on "most units sold." The best-selling vehicle might be an economy car—perfect for some, completely wrong for others. Your requirements should drive the decision:

• Do you need organizational identity verification?
• Are you subject to compliance requirements specifying CA types?
• Do you need warranty protection?
• Can you fully automate certificate management?
• Do you need vendor support?

How Shorter SSL Lifetimes Are Changing Issuance Statistics

The SSL industry is undergoing a significant shift as the CA/Browser Forum mandates progressively shorter certificate lifetimes. This fundamentally changes how we should interpret issuance statistics.

The Lifetime Reduction Timeline

Per CA/Browser Forum Ballot SC-081, maximum certificate lifetimes are being reduced:

• Current (2025): 398 days maximum
• March 2026: 200 days maximum
• March 2027: 100 days maximum
• March 2029: 47 days maximum

For detailed coverage of these changes and how to prepare, see our comprehensive guide to 2026 SSL certificate lifetime changes.

Impact on Certificate Counts

When 47-day certificates become mandatory, the same website will require approximately 8x more certificate issuances per year compared to today's 398-day certificates. This means:

• Raw issuance counts will skyrocket across all CAs
• Year-over-year "growth" in certificates issued will largely reflect shorter lifetimes, not market share gains
• Comparisons between 2025 and 2030 issuance data will be meaningless without normalization

Why This Matters for Your Research

If you're evaluating CAs and encounter statistics about issuance volume:

• Check when the data was collected
• Ask whether the comparison accounts for different certificate lifetimes
• Consider whether "certificates issued" or "unique domains secured" is the relevant metric
• Recognize that automation capability will become more important than raw volume

How to Use SSL Issuance Data When Choosing a Certificate

Rather than choosing based on "who issues the most," use a structured decision framework based on your actual requirements.

Interpreting Market Data Correctly

When reviewing SSL statistics and research:

• Distinguish volume from market segments – High DV issuance doesn't indicate OV/EV capability
• Consider certificate lifetime – Short-lived certificates inflate issuance counts
• Look at methodology – How was the data collected and normalized?
• Check the source – CT logs and academic research are more reliable than vendor marketing
• Match to your needs – A CA's popularity doesn't mean it's right for you

Where to Learn More About SSL Certificate Options

To make an informed decision about SSL certificates, we recommend exploring these resources:

Understanding Certificate Types

• DV vs OV vs EV Certificate Comparison – Understand validation levels and use cases
• SSL Certificate Pricing Guide – What affects SSL prices and how to budget
• Top Certificate Authorities Compared – Feature comparison of major CAs

Technical Resources

• SSL Tools – Check certificates, generate CSRs, and more
• Certificate Management Guide – Best practices for managing certificates
• 2026 Certificate Lifetime Changes – Prepare for shorter validity periods

External Resources

• CA/Browser Forum – Official industry standards body
• crt.sh Certificate Search – Explore Certificate Transparency logs
• Let's Encrypt Statistics – Transparency data from the largest free CA