Webtrust Audit

Building trust in a rapidly changing environment

Independent assurance services for certification authorities and PKI-based trust services.

WebTrust audit is a specialised, internationally recognised area of digital trust assurance. It is primarily relevant for Certification Authorities (CAs), where certificate issuance, PKI operations, policies, controls and compliance directly influence the confidence of customers, browsers, platforms and root programs.

Crowe’s WebTrust Audit service assesses, in a structured manner, whether the certification authority’s operations, control environment, policies and evidence comply with the applicable WebTrust principles and criteria, as well as relevant industry expectations.

Request a consultation with our experts, or send us your request for a proposal!

Get in touch

Where we add value

Specialised WebTrust and PKI focus

WebTrust is not a general IT audit. The engagement focuses on the specific operating model of certification authorities, the certificate lifecycle, Certificate Policy and Certification Practice Statement requirements, and related controls.

CPA Canada WebTrust partner authorisation

Within the WebTrust program, only authorised audit firms and professionals meeting the relevant contractual and professional conditions may perform these assurance services. Crowe FST Audit Kft. is authorised, as a CPA Canada partner, to perform WebTrust compliance audits.

Understanding of international root programs and industry requirements

For CAs, WebTrust compliance is often not an end in itself. It is linked to root store programs, browser and platform requirements, CCADB processes and CA/Browser Forum expectations.

Audit process suitable for public reporting and seal use

Where conformity is achieved, the result of a WebTrust audit may be linked to a public audit report and WebTrust seal use, which is an important trust signal for customers, partners, browsers and platforms.

When do clients usually contact us?

when a certification authority is planning a WebTrust audit or seeking to obtain a WebTrust seal
when an audit requirement arises in connection with a root store program, browser requirement or platform expectation
when preparing to audit a new CA operation, new root, new subordinate CA or new certificate type
when an existing CA is due for an annual, period-of-time or renewal WebTrust audit
when the organisation needs readiness or gap assessment support before the formal audit
when the CP/CPS, control environment, evidence structure, PKI hierarchy or reporting process needs to be organised
when the CA needs international communication, an English-language audit report and documentation aligned with industry expectations

How can we help?

WebTrust for Certification Authorities audit

Assessment of the certification authority’s operations against the WebTrust for Certification Authorities principles and criteria, including relevant policies, controls, operating processes and evidence.

WebTrust audits for specific certificate types

Depending on the applicable requirements, we support WebTrust audits related to SSL/TLS, EV TLS, code signing, EV Code Signing, S/MIME, Mark or V2XPKI certificate types.

Readiness and gap assessment

Before the formal audit, we identify critical gaps, documentation deficiencies, control risks and evidence requirements so that the audit can start in a more predictable way.

Depending on the applicable requirements, we support WebTrust audits related to SSL/TLS, EV TLS, code signing, EV Code Signing, S/MIME, Mark or V2XPKI certificate types.

Before the formal audit, we identify critical gaps, documentation deficiencies, control risks and evidence requirements so that the audit can start in a more predictable way.

Review of CP/CPS and policy compliance

We review whether the Certificate Policy, Certification Practice Statement and related internal policies are aligned with actual operations, WebTrust criteria and applicable industry requirements.

Control testing and evidence-based examination

During the engagement, we evaluate CA operations through statistical samples, controls and evidence, particularly in certificate lifecycle management, key management, access rights, logging, incident management, change management and documented approvals.

Public audit report and related communication

We support the formal and content requirements related to the audit report, WebTrust seal use, root programs and relevant platforms.

We review whether the Certificate Policy, Certification Practice Statement and related internal policies are aligned with actual operations, WebTrust criteria and applicable industry requirements.

We support the formal and content requirements related to the audit report, WebTrust seal use, root programs and relevant platforms.

Why choose Crowe?

Rare, specialised assurance competence

WebTrust audit is a highly specialised field requiring audit methodology discipline, understanding of PKI and certification authority processes, and knowledge of international requirement frameworks.

Independent, structured and documented approach

We perform the engagement with a clear scope, timetable, evidence request list, control testing logic and documented communication, so the client can clearly see what expectations must be met.

International professional background

Crowe’s international background and assurance experience support cross-border, English-language and root-program-related audit communication.

Connecting technical and business perspectives

In a WebTrust audit, we assess not only technical controls, but also whether the CA’s operations, policies, responsibilities and evidence appropriately address the business risks of trust services.

Request a proposal

For a focused proposal, it is useful to prepare: the CA’s legal and operational details, the list of roots and subordinate CAs in scope, a description of the PKI hierarchy, the certificate types involved, CP/CPS documents, previous audit reports, root store or platform requirements, the planned audit period and the required report type.

Request a consultation with our experts, or send us your request for a proposal!

Get in touch

Frequently asked questions

What is WebTrust audit?

A WebTrust audit is an independent assurance engagement in which an authorised auditor evaluates whether a certification authority’s operations comply with the applicable principles and criteria of the WebTrust program.

Who needs a WebTrust audit?

Primarily certification authorities that issue publicly trusted certificates, seek participation in root store programs, or want to provide independent assurance to customers and partners.

Is WebTrust the same as a general IT audit?

No. WebTrust is specifically designed for CAs, PKI operations, the certificate lifecycle, CP/CPS compliance and WebTrust criteria. General IT audit experience alone is not sufficient.

Primarily certification authorities that issue publicly trusted certificates, seek participation in root store programs, or want to provide independent assurance to customers and partners.

No. WebTrust is specifically designed for CAs, PKI operations, the certificate lifecycle, CP/CPS compliance and WebTrust criteria. General IT audit experience alone is not sufficient.

How often is a WebTrust audit required?

The frequency depends on the applicable WebTrust, root program, browser/platform and industry requirements. Many root programs expect annual audits and timely, publicly available audit attestations.

Can Crowe perform a readiness assessment before the audit?

Yes. A readiness or gap assessment can identify documentation, control and evidence-related gaps that should be addressed before the formal audit.

The frequency depends on the applicable WebTrust, root program, browser/platform and industry requirements. Many root programs expect annual audits and timely, publicly available audit attestations.

Yes. A readiness or gap assessment can identify documentation, control and evidence-related gaps that should be addressed before the formal audit.

Dr. Péter Máté Erdősi

Director

mail