CCADB Browser: Navigate CA Certificate Records Without the Pain

CCADB.org is the authoritative source for public CA data — but its raw interface was not built for quick lookups. This guide covers every feature of the CCADB Browser: search, trust-matrix filtering, inline chain linting, CPS verification, and audit review, all in one place.

What is the CCADB?

The Common CA Database (CCADB) is maintained by Mozilla on behalf of the root program community. It is the authoritative, public record of every CA certificate trusted — or previously trusted — by Apple, Chrome, Microsoft, and Mozilla. CA owners submit audit statements, self-assessments, CPS links, and incident reports through it. Root program managers use it to make trust decisions. Auditors reference it to verify that CA operators are meeting their disclosure obligations.

In short: if a certificate is in a browser's root store, it started its life in the CCADB.

The Problem with CCADB.org

The CCADB itself is powerful and authoritative, but its public-facing interface was built for data entry, not exploration. Practitioners who need quick answers run into several friction points:

The main export is a CSV file. AllCertificateRecordsReport is the canonical source, but downloading and grepping a spreadsheet is not a workflow — it's a workaround.
No cross-program trust matrix. Apple, Chrome, Microsoft, and Mozilla each have their own trust lists. The CCADB stores this data but does not visualise it in one place. Checking whether a root is trusted by all four programs requires navigating multiple screens or cross-referencing four separate exports.
No filtering by capability. Finding all TLS-capable intermediate CAs for a specific owner requires manual filtering in a spreadsheet or custom scripting.
No inline chain linting. When you find a certificate of interest, validating it against the BRs means copying the PEM, opening a linter, pasting it, and waiting for results — all in separate tabs.
CPS and audit links require additional verification. A CPS URL being listed does not mean it is accessible or that it maps to the OIDs in the certificate. There is no quick check built in.

None of these are criticisms of the CCADB project — it serves its purpose well. But for the daily-use case of "I need to understand this CA's status right now," the raw interface creates unnecessary friction.

The CCADB Browser

The CCADB Browser on this site syncs the CCADB V5 dataset and wraps it in an interface built for exploration and triage. Everything runs in your browser — no account, no install, no CSV.

Full-text search

Search by CA owner name, certificate CN, SHA-256 fingerprint, or country code. Results update as you type.

Filter chips

One-click filters for certificate type, capability, trust status, and validity — all combinable with search.

Trust matrix

See Apple, Chrome, Microsoft, and Mozilla trust status side-by-side for every certificate, colour-coded at a glance.

CA owner grouping

Certificates are grouped under their CA owner and arranged in a root → issuing tree, collapsible by owner.

Chain linting

Run pkilint, zlint, and x509lint against the full CA chain directly from the detail modal — no copy-paste needed.

CPS verification

Check whether a CA's CPS URL is reachable and whether its policy OIDs match the certificate's extension values.

Navigating the Browser

Search

The search bar at the top accepts free-text input and matches against CA owner names, certificate common names, SHA-256 fingerprints, and country codes. Matches are highlighted in the result tree. The query is preserved in the session so it survives a page reload.

Filter chips

Below the search bar, a row of filter chips lets you narrow the view without typing:

All / Root only / Intermediate only — filter by certificate role in the hierarchy
TLS capable / S/MIME / Code signing — filter by the EKUs and trust bits present in the certificate
Valid / Expired / Revoked — filter by current status
Trusted / Untrusted — trusted means included in at least one of the four major root programs

Filters compose with search: "TLS capable" + "DigiCert" shows only TLS-capable certificates owned by DigiCert entities.

Tip

The Untrusted filter is useful for spotting legacy or distrust-pending roots that are still in the CCADB record but no longer in active trust stores. Helpful when reviewing incident history or understanding the evolution of a CA's trust status.

Browser trust at a glance

Each certificate row in the table shows four browser logo icons — Apple, Chrome (Chromium), Microsoft, and Mozilla. A coloured icon means the certificate is included in that program's trust store (or meets EV policy). A greyed icon means it is not trusted, distrust-pending, or the status is unknown. No need to cross-reference four separate trust store exports.

Capability tags

Alongside the trust matrix, each certificate shows its active capabilities derived from its EKUs and trust bits: TLS, EV, S/MIME, and Code Signing. These reflect what the certificate is actually trusted to do — not just what it claims.

The Detail Modal

Clicking any certificate row opens a detail modal with the full CCADB record for that certificate. This is where the most useful tooling lives.

Certificate metadata

The modal shows the full subject DN, issuer DN, validity range, serial number, and SHA-256 fingerprint. It also shows the CCADB record fields: CA owner, certificate type, EKU breakdown, and the four-program trust status with status labels (Included, EV Enabled, Revoked, Not Trusted, etc.).

Chain lint

The Chain Lint button pre-fills the certificate chain into the multi-linter tool and opens it in a new tab. From there you can run pkilint, zlint, x509lint, and any other available linters, drill into individual findings, and go as deep as needed. The CCADB modal handles the chain extraction and handoff — you never have to copy a PEM manually.

Workflow

Lint a CA chain in three steps: search for the CA owner → click the certificate row to open the modal → click Chain Lint to jump straight into the multi-linter with the chain pre-loaded.

CPS verification

The Verify CPS action checks whether the CPS URL listed in the CCADB record is reachable over HTTPS and returns a readable document. It also checks whether the policy OIDs in the certificate's Certificate Policies extension match the OIDs referenced in the CPS.

This matters for audits: a CA might have updated its CPS URL without updating the certificate, or the URL might have moved to a CDN that is temporarily unreachable. The verification catches both.

Audit information

The modal surfaces the CA's current audit entries as recorded in the CCADB: the audit statement URL, the auditor name, the audit type (WebTrust, ETSI, etc.), and the audit period. This is the same data that root program managers use to verify ongoing compliance — accessible directly from the certificate record without navigating through the CCADB web interface.

Practical Workflows

Find all trusted TLS roots for a CA

In the search bar, type the CA owner name (e.g. Sectigo).
Click the Root only chip to filter out intermediates.
Click the TLS capable chip to limit results to TLS-trusted roots.
The trust matrix columns show at a glance which of the four programs trust each root.

Spot a distrust event

Filter by Revoked or Untrusted.
Search for the CA name or scroll through the tree.
Click a certificate row and check the CCADB status labels for each program — they show the exact disposition (Revoked, Not Trusted, Distrust-pending) per program.
The audit section shows whether the CA continued meeting its audit obligations up to revocation.

Audit a CA's compliance posture

Search for the CA owner.
Click any of its issuing CAs to open the detail modal.
Click Verify CPS to confirm the CPS URL is live and policy OIDs match.
Click Chain Lint to run the multi-linter against the chain.
Review the Audit section for audit statement recency and auditor details.

For auditors

Steps 3–5 cover the three most common checks in a CA pre-audit review: CPS accessibility, certificate profile correctness, and audit statement completeness. Running them from a single interface removes the toolchain assembly that usually precedes each engagement.

Who This Is For

The CCADB Browser is useful across several roles:

CA auditors doing pre-engagement research: quickly understand a CA's hierarchy, trust status, current audit posture, and certificate profile without requesting documentation upfront.
Root program participants reviewing a CA's inclusion request or distrust case: cross-reference all four programs' status, check the chain against the BRs, and verify CPS accessibility in one session.
PKI engineers validating their own CA's certificate profiles before submission: run chain lint against the CCADB copy of their chain to catch issues before root program review.
Security researchers mapping the WebPKI trust landscape: filter, search, and explore the full CCADB dataset without spreadsheet gymnastics.

Open the CCADB Browser

Search, filter, and inspect the full CCADB V5 dataset. No account required.

Open CCADB Browser →