Assessing SSL/TLS Certificate Centralization: Implications for Digital Sovereignty
Andrei Cordova Azevedo, Eder John Scheid, Muriel Figueredo Franco, Lisandro Zambenedetti Granville
TL;DR
This paper investigates SSL/TLS certificate centralization and its implications for digital sovereignty in BRICS and the EU. It proposes a measurement framework that collects certificate chains from CrUX-listed domains, extracts CA origins, and quantifies in-group versus foreign issuance, using a February 2025 dataset of roughly 232 thousand domains. Findings reveal a strong dominance of US-based CAs (about 75-78%) in both blocs, with the EU showing somewhat higher internal issuance (≈14%) than BRICS (≈2.4%), and a predominance of 90-day certificates from major CAs like Let's Encrypt. The work discusses policy and technical avenues—such as regional CAs and blockchain-based PKI—to enhance resilience and reduce external dependency, while acknowledging limitations and proposing future extensions to deeper certificate-chain levels and other network protocols.
Abstract
SSL/TLS is a fundamental technology in the network protocol stack that enables encrypted data transmission and authentication of web domains. However, the current model relies on a small number of Certificate Authorities (CAs) to provide and validate certificates, thus creating a highly centralized ecosystem. In this paper, we analyze the degree of centralization of certificate provisioning from CAs in two major political groups: Brazil, Russia, India, China, and South Africa (BRICS) and the European Union (EU). We have found that over 75% of certificates for both BRICS and EU domains originate from CAs based in the United States, indicating possible risks to their digital sovereignty due to the high level of external dependency. This indicates the need for nations within those groups to research alternatives to reduce the high level of dependency on foreign CAs and increase their digital autonomy.