Google, HTTPS, and device compatibility (Google Online Security Blog)

Posted by Ryan Hurst, Product Management, Google Trust Services

Encryption is a fundamental building block when you’re on a mission to organize the world’s information and make it universally accessible with strong security and privacy. This is why a little over four years ago we created Google Trust Services—our publicly trusted Certificate Authority (CA).

The road to becoming a publicly trusted certificate authority is a long one – especially if the certificates you issue will be used by some of the most visited sites on the internet.

When we started on this journey, our goal was that within five years our root certificates would be embedded in enough devices that we could do a single transition to our long-term root certificates.

There are still a large number of active used devices that have not been updated with our root certificates.

To ensure as many clients as possible continue to have secure connections when using Google Trust Services certificates, we needed to obtain a cross-sign. A cross-sign allows a certificate authority that is already trusted by a device to extend its device compatibility to another certificate authority.

The rules governing public CA operations require that the CA being cross-signed meet the same strict operational, technological, and audit criteria as the certificate authority providing this cross-sign. Google Trust Services is already a publicly trusted CA that is operated to the highest standards and is in all major browser trust stores, so we already met the requirements for a cross-sign from another CA.. The key was to find one that is already trusted by the devices we wanted to be able to validate our certificates. We worked with GMO GlobalSign for this cross sign because they operate one of the oldest root certificates in wide use today.

Why are we telling you about this now? On December 15, 2021, the primary root certificate we use today (GlobalSign R2 which is owned and operated by Google Trust Services) will expire.

To ensure these older devices continue to work smoothly with the certificates we issue we will start sending a new cross-signed certificate to services when we issue new certificates.

The good news is that users shouldn’t notice the change. This is because the cross-certificate (GTS Root R1 Cross) we’re deploying was signed by a root certificate created and trusted by most devices over 20 years ago.

In summary, when you use certificates from Google Trust Services, you and your customers will continue to get the benefit of the best device compatibility in the industry.

We know you might have some questions about this change. Here are our answers to the most frequent ones:

I am a developer or ISV that uses a Google API. What do I need to do?

Certificate Authorities change which root CA certificates they use from time to time, so we have always provided a list of certificates that we currently use or may use in the future. Anybody using this list won’t have to change anything. If you have not been using this list and updating it based on our published guidance, you will need to update your application to use these roots and regularly update the list you use so future changes go smoothly for your users.

I am a website operator that uses Google Trust Services certificates. Do I need to change anything?

You do not! Google Trust Services offers certificates to Alphabet products and services including many Google Cloud services. This means that those services are the ones responsible for configuring and managing TLS for you.

When will this change go into effect? 

We will begin rolling out certificate chains that use this cross-certificate in March 2021. We will slowly roll these changes out throughout the rest of the year and will complete them before December 15, 2021.

I use a service or product that uses Google Trust Services. Is there anything I need to change? No, this change should be invisible to all end users.

How can I test to see if my devices will trust certificates that rely on this cross-sign? 

We operate a test site that uses the cross-certificate that you can visit here. If you see « Google Trust Services Demo Page – Expected Status: good » and some additional certificate information, the new certificate chain works correctly on your device. If you get an error, the list of trusted roots for the device you’re testing needs to be updated.

When does this cross-certificate expire and what happens when it does? 

The cross-certificate expires January 28th, 2028. Sometime between now and when it looks like it is no longer needed for broad device compatibility, we will stop providing this extra certificate to certificate requesters, as it will no longer be needed.

I use an old device and it does not trust the cross-sign. What should I do? 

Many devices handle root certificate updates as part of their security patching process. If you are running one of these devices, you should make sure you apply all relevant security updates. It is also possible the manufacturer no longer provides security updates for your device. If this is the case you may want to contact your provider or consider replacing your device.

Does this mean you are no longer using the Google Trust Services roots? We are still using the Google Trust Services roots, they are simply cross-signed. When it is no longer necessary to use the cross-sign, we will no longer distribute the cross-sign to certificate requestors.

To learn more, visit Google Trust Services.