Posted by Ryan Hurst, Product Management, Google Trust Services
Encryption is a fundamental building block when you’re on a mission to organize the world’s information and make it universally accessible with strong security and privacy. This is why a little over four years ago we created Google Trust Services—our publicly trusted Certificate Authority (CA).
The road to becoming a publicly trusted certificate authority is a long one – especially if the certificates you issue will be used by some of the most visited sites on the internet.
When we started on this journey, our goal was that within five years our root certificates would be embedded in enough devices that we could do a single transition to our long-term root certificates.
There are still a large number of active used devices that have not been updated with our root certificates.
To ensure as many clients as possible continue to have secure connections when using Google Trust Services certificates, we needed to obtain a cross-sign. A cross-sign allows a certificate authority that is already trusted by a device to extend its device compatibility to another certificate authority.
The rules governing public CA operations require that the CA being cross-signed meet the same strict operational, technological, and audit criteria as the certificate authority providing this cross-sign. Google Trust Services is already a publicly trusted CA that is operated to the highest standards and is in all major browser trust stores, so we already met the requirements for a cross-sign from another CA.. The key was to find one that is already trusted by the devices we wanted to be able to validate our certificates. We worked with GMO GlobalSign for this cross sign because they operate one of the oldest root certificates in wide use today.
Why are we telling you about this now? On December 15, 2021, the primary root certificate we use today (GlobalSign R2 which is owned and operated by Google Trust Services) will expire.
To ensure these older devices continue to work smoothly with the certificates we issue we will start sending a new cross-signed certificate to services when we issue new certificates.
The good news is that users shouldn’t notice the change. This is because the cross-certificate (GTS Root R1 Cross) we’re deploying was signed by a root certificate created and trusted by most devices over 20 years ago.
In summary, when you use certificates from Google Trust Services, you and your customers will continue to get the benefit of the best device compatibility in the industry.
We know you might have some questions about this change. Here are our answers to the most frequent ones:
I am a developer or ISV that uses a Google API. What do I need to do?
I am a website operator that uses Google Trust Services certificates. Do I need to change anything?
When will this change go into effect?
I use a service or product that uses Google Trust Services. Is there anything I need to change? No, this change should be invisible to all end users.
How can I test to see if my devices will trust certificates that rely on this cross-sign?
When does this cross-certificate expire and what happens when it does?
I use an old device and it does not trust the cross-sign. What should I do?
Does this mean you are no longer using the Google Trust Services roots? We are still using the Google Trust Services roots, they are simply cross-signed. When it is no longer necessary to use the cross-sign, we will no longer distribute the cross-sign to certificate requestors.