There are two relevant WebTrust audits: - Webtrust for CAs (been around for a long time) - WebTrust for RAs (relatively new from this year) If the CA/RA is combined, you can wrap them into a single audit, WebTrust for CAs. WebTrust for CAs have stipulations for physical security controls and is thus not possible to do in a public cloud at the moment. If the RA is an external RA, talking to the CA with APIs, the CA can be audited with WebTrust for CAs, while the RA can be audited separately with WebTrust for RAs. WebTrust for RAs for an external RA is possible to do for an external RA in a public cloud. WebTrust for RAs could eventually extend to all external parties of the CA, i.e. the VA as well at some point in the future. Summary of current status of WebTrust audited CA/VA/RA in public cloud: - CA: No - VA: No - RA: Yes For the VA a discussion can at least be started with WebTrust auditors if a you want to go in that direction. Contact your local WebTrust auditors and start a conversation.