Secure your place in the browser root — build trust online with RSM Hong Kong.

Demand for trusted digital identities is accelerating: more than 90% of web traffic is now encrypted, browser and platform vendors are tightening requirements for root inclusion, and regulators and customers increasingly expect demonstrable controls over cryptographic keys and certificate issuance. These trends make independent WebTrust assurance not just best practice but a business imperative for Certification Authorities (CAs) seeking public trust and market acceptance.


Global standards for digital trust
 

Digital certificates serve as the foundation of secure online communication and they are issued by Certification Authorities (CAs). To ensure these entities operate with the highest level of integrity, the WebTrust® program, managed by Chartered Professional Accountants of Canada (CPA Canada), provides a rigorous framework to evaluate the reliability and effectiveness of a CA's controls.

As an enrolled WebTrust practitioner, RSM Hong Kong provides independent assurance that your infrastructure, policies, and procedures meet these globally recognized standards, enabling your certificates to be trusted by users and technology providers worldwide. 

 

How RSM practitioners help you ensure ongoing compliance?

WebTrust assurance services

We provide comprehensive WebTrust assurance services across various WebTrust principles and criteria:

WebTrust for Certification Authorities (CA): An examination of a CA’s disclosure of its business practices and an evaluation of the controls over its CA operations, including its PKI infrastructure, key lifecycle management, and environmental security.

Key Lifecycle Protection: A critical component of our assurance services, covering the entire lifecycle of CA keys, including:

  1. Root Key Generation Ceremony (RKGC): Independent witnessing of the ceremony to ensure keys are generated according to disclosed policies.
  2. Key Transportation & Migration: Assurance over the secure movement of keys between geographic locations or new hardware modules (HSMs).
  3. Key Protection and Storage: Evaluating the logical and physical security measures used to prevent unauthorized access or compromise.

WebTrust for CAs - TLS Baseline Requirements: An audit focused on the issuance and management of publicly trusted TLS certificates.

WebTrust for CAs - Extended Validation (EV) TLS: An assessment of the heightened control objectives required for the issuance and management of EV TLS certificates.

WebTrust for CAs - Publicly Trusted Code Signing: An evaluation of the controls over the issuance and management of code signing certificates, ensuring the integrity of the signing process and the identity of the subscriber.

WebTrust for Registration Authorities (RA): An independent evaluation of an RA’s compliance with the CA’s disclosed business practices, specifically regarding the authentication of subscriber identity and the accuracy of certificate requests. 

WebTrust readiness assessments

A successful WebTrust seal begins with rigorous preparation. RSM Hong Kong provides structured assessments to identify gaps before you enter a formal audit period.

RKGC readiness: We act as your advisor prior to the Root Key Generation Ceremony. We review your scripts, ceremony plans, and physical security to ensure that when the actual ceremony occurs, it meets all WebTrust criteria.

Point-in-time readiness assessment: We perform a "snapshot" evaluation of your controls as they exist at a specific moment. This is essential for new CAs to verify that their design and implementation of controls are audit-ready before commencing commercial operations. 

Advisory for web browser root program inclusion

Achieving "publicly trusted" status requires your Root Certificate to be embedded in web browsers or software vendors such as Google Chrome, Apple, Microsoft, Mozilla, and Adobe. We provide expert advisory to navigate this process:

Audit timeline planning: We help you align your audit cycles with the strict deadlines of the root programs. This includes coordinating Point-in-Time reports, initial Period-of-Time audits, and the required annual renewals to ensure contiguous coverage with no audit gaps.

Web browser root program advisory: We guide you through the specific policies of each browser vendor and Common CA Database (CCADB). This includes navigating requirements for single-purpose roots, maximum certificate lifetimes, and mandatory automation capabilities. 

Why choose RSM?

Enrolled practitioners
We are part of the select group of firms recognized by CPA Canada to perform WebTrust audits in the Greater China region.

Technical expertise
Our team possesses deep knowledge of Public Key Infrastructure (PKI), cryptographic standards, and certificate lifecycle management, enabling us to perform thorough and reliable WebTrust audits for Certification Authorities.

Streamlined compliance
We translate complex CA/B Forum requirements into actionable technical and procedural improvements, helping your teams resolve compliance gaps efficiently and avoid delays in the audit process. 

Meet our WebTrust® assurance and advisory services specialist
Aaron Wong
Director
View profile
Hong Kong
+852 2508 2858

Explore our full range of technology and management consulting services

At RSM, we not only work with you closely to develop strategies that support your organizational vision — we have the expertise and tools to help you execute those strategies.

ERP and business applications
Digital and IT advisory

Digital and IT advisory

IT risk and cybersecurity
AI and intelligent automation

AI and intelligent automation

There are more ways RSM can secure your business

Get in touch with our team to find out

Please let us know what service your query is in relation to?