1# Frequently Asked Questions 2Last updated: August 21, 2023 3 4[TOC] 5 6## General Questions 7 8### What is the Chrome Root Store? 9Chrome uses 10[digital certificates](https://en.wikipedia.org/wiki/Public_key_certificate) 11(often referred to as “certificates,” “HTTPS certificates,” or “server 12authentication certificates”) to ensure the connections it makes on behalf 13of its users are secure and private. Certificates bind a domain name to a 14public key, which Chrome uses to encrypt data sent to and from the 15corresponding website. 16 17As part of establishing a secure connection to a website, Chrome verifies 18that a recognized system known as a “Certification Authority” (CA) issued 19its certificate. Certificates issued by a CA not recognized by Chrome or a 20user’s local settings can cause users to see warnings and error pages. 21 22Root stores, sometimes called “trust stores,” tell operating systems and 23applications what certificates to trust. The 24[Chrome Root Store](https://g.co/chrome/root-store) contains the set of 25certificates Chrome trusts by default. 26 27### What is the Chrome Certificate Verifier? 28Historically, Chrome integrated certificate verification processes with 29the platform it ran on. This resulted in inconsistent user experiences 30across platforms, making it difficult for developers to understand 31Chrome's expected behavior. 32 33The Chrome Certificate Verifier addresses these concerns by applying a 34common certificate verification process across Windows, macOS, Chrome OS, 35Linux, and Android. Apple policies prevent the Chrome Certificate Verifier 36and corresponding Chrome Root Store from being used on Chrome for iOS. 37 38### How do these features impact me? 39 40#### Chrome Users 41We expect the transition to the Chrome Root Store and Chrome Certificate 42Verifier to be seamless for most users. 43 44As the transition occurs, a small population of users may notice that a 45small number of websites that successfully loaded in earlier versions of 46Chrome now present a “Your connection is not private” warning. When a 47website’s certificate does not validate to a certificate included in the 48Chrome Root Store or a user’s local settings, users will see detailed 49error language that includes “ERR_CERT_AUTHORITY_INVALID.” 50 51See the troubleshooting steps [here](#can-you-help_i_m-experiencing-problems). 52 53#### Website Operators 54We expect the transition to the Chrome Root Store and Chrome Certificate 55Verifier to be seamless for most website operators. 56 57We encourage website operators to configure HTTPS for their site(s) with 58certificates that follow modern best practices, including those found in 59the CA/Browser Forum [Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates](https://cabforum.org/baseline-requirements-documents/) 60and the Chrome Root Program [policy](https://g.co/chrome/root-policy). 61 62If your website’s certificate issuer is not included in the 63[Chrome Root Store](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md), 64consider transitioning to another service provider to avoid compatibility 65issues. 66 67#### Enterprise CA Owners 68We expect the transition to the Chrome Root Store and Chrome Certificate 69Verifier to be seamless for Enterprise CA owners. 70 71Enterprise CAs are intended for use cases exclusively internal to an 72organization (e.g., a TLS certificate issued to a corporate intranet site). 73 74The Chrome Certificate Verifier [considers](#will-the-chrome-certificate-verifier-consider-local-trust-decisions) 75locally-managed certificates during the certificate verification process. 76Consequently, if an enterprise distributes a root CA certificate as 77trusted to its users (for example, by a Windows Group Policy Object), 78it will be considered trusted in Chrome. 79 80#### Enterprise System Administrators 81The Chrome Certificate Verifier [considers](#will-the-chrome-certificate-verifier-consider-local-trust-decisions) 82locally-managed certificates during the certificate verification process. 83Consequently, if an enterprise distributes a root CA certificate as 84trusted to its users (for example, by a Windows Group Policy Object), 85it will be considered trusted in Chrome. 86 87The Chrome Certificate Verifier evaluates certificate profile conformance 88against [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), and in 89some cases, is more strict than platform verifiers. As a result, an 90enterprise policy will *temporarily* be available to re-enable the 91platform root store and certificate verifier to provide enterprises time 92to remediate certificate profile conformance errors. See more 93[below](#can-i-revert-to-the-platform-root-store-and-verifier). 94 95#### “Publicly-Trusted” CA Owners 96CA Owners who meet the Chrome Root Program 97[policy](https://g.co/chrome/root-policy) requirements may apply for a CA 98certificate’s inclusion in the Chrome Root Store. CAs included in the 99Chrome Root Store are expected to adhere to the Chrome Root Program policy 100and continue to operate in a consistent and trustworthy manner. A CA 101owner’s failure to follow the requirements defined in the Chrome Root 102Program policy may result in a CA certificate’s removal from the Chrome 103Root Store, limitations on Chrome's acceptance of the certificates they 104issue, or other technical or policy restrictions. 105 106### When are these changes taking place? 107A “rollout” is a gradual launch of a new feature. Sometimes, to ensure it 108goes smoothly, we don’t enable a new feature for all of our users at once. 109Instead, we start with a small percentage of users and increase that 110percentage over time to ensure we minimize unanticipated compatibility 111issues. 112 113The table below shows the rollout of these new features across platforms. 114 115| Chrome on...\* | Chrome Root Store Rollout Begins\*\* | Chrome Root Store Enabled by Default | Sunset of Enterprise Policy\*\*\* | 116| --------------- | ------------------------------------ | ------------------------------------ | ------------------------------------- | 117| Android | Chrome 114 | Chrome 115 | Chrome 120 | 118| Chrome OS | Chrome 114 | Chrome 114 | Chrome 119 | | 119| iOS\*\*\*\* | N/A | N/A | N/A | 120| Linux | Chrome 114 | Chrome 114 | Chrome 119 | 121| macOS | Chrome 105 | Chrome 108 | Chrome 112 | 122| Windows | Chrome 105 | Chrome 108 | Chrome 112 | 123 124**Notes:**<br> 125(\*) Find Chrome browser system requirements [here.](https://support.google.com/chrome/a/answer/7100626) 126 127(\*\*) During this release, users also had the opportunity to "opt-in" to 128these features, regardless of whether they were automatically enrolled in 129the rollout population. 130 131(\*\*\*) The [ChromeRootStoreEnabled](https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled) 132enterprise policy will be temporarily available to revert to the platform 133root store and verifier. The version represented in this column is the 134last version of Chrome where the corresponding platform will support the 135enterprise policy. 136 137(\*\*\*\*) Apple policies prevent the Chrome Root Store and Chrome Certificate 138Verifier from being used on Chrome for iOS. 139 140 141## Support and Troubleshooting 142 143### Can you help? I’m experiencing problems. 144As the transition to the Chrome Root Store and Certificate Verifier occurs, 145a small population of users may notice that a small number of websites 146that successfully loaded in earlier versions of Chrome now present a “Your 147connection is not private” warning that includes a message that reads 148“NET::ERR_CERT_AUTHORITY_INVALID.” 149 150**Troubleshooting (for developers, system administrators, or "power users"):** 1511. [Verify](#given-the-rollout-is-gradual_how-can-i-tell-if-these-features-are-in-use-on-my-system) 152the Chrome Root Store and Certificate Verifier are in use. 153 - If the Chrome Root Store and Certificate Verifier are not enabled, 154 read more about common connection errors 155 [here](https://support.google.com/chrome/answer/6098869?hl=en). 1562. Choose to *either* add the website’s corresponding root CA certificate 157to your platform root store *or* temporarily use a Chrome Enterprise 158Policy to disable the Chrome Root Store and Certificate Verifier. 159 160 * **Add a CA certificate to the platform root store:** Refer to your 161 operating system instructions for managing certificates. <br><br> 162 *Warning*: You should **never** install a root certificate without 163 carefully considering the impact this might have on your privacy and 164 security. *Only* install a root certificate after obtaining it from 165 a trusted source and verifying its authenticity (e.g., verifying its 166 SHA-256 thumbprint). 167 168 * **Use the Chrome Enterprise Policy:** See 169 [below](#can-you-help_i_m-experiencing-problems). 170 171If you believe the Chrome Certificate Verifier is not working as intended, 172submit a [bug](https://bugs.chromium.org/p/chromium/issues/entry) and 173attach a [NetLog dump](https://www.chromium.org/for-testers/providing-network-details/) 174repeating the steps leading to the issue from a new Incognito window. Add 175a comment to route the bug to the Internals>Network>Certificate component 176for the fastest routing to the appropriate triage team. 177 178If you believe you've identified a Security Bug, follow [these](https://www.chromium.org/Home/chromium-security/reporting-security-bugs/) 179instructions. 180 181### Can I revert to the platform root store and verifier? 182The Chrome Certificate Verifier evaluates certificate profile conformance 183against [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), and in 184some cases, is more strict than platform verifiers. The 185[ChromeRootStoreEnabled](https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled) 186enterprise policy will be temporarily available to revert to the platform 187root store and verifier. 188 189This enterprise policy will be available for a limited time only and 190should only be used as a temporary solution while troubleshooting and 191remediating instances of certificate profile conformance issues. 192 193 194## Additional Information for Administrators, Engineers, and Power Users 195 196### How is the Chrome Root Store updated? 197Chrome uses a "[component updater](https://chromium.googlesource.com/chromium/src/+/lkgr/components/component_updater/README.md)" 198tool to push specific updates to browser components without updating the 199Chrome browser application. As root CA certificates are added or removed 200from the Chrome Root Store, the component updater will automatically 201propagate these changes to user endpoints without user action. 202 203If your enterprise has [disabled](https://chromeenterprise.google/policies/?policy=ComponentUpdatesEnabled) 204component updates, endpoints will only receive updated versions of the 205Chrome Root Store during Chrome browser application updates. 206 207During routine operating conditions, the Chrome Root Store is updated 208approximately quarterly. However, aperiodic updates may take place to 209promote the safety and privacy of Chrome's users. 210 211### Will the Chrome Certificate Verifier consider local trust decisions? 212 213On **Windows**, the Chrome Certificate Verifier will automatically consume 214certificates added to the following certificate stores: 215 216- Local Machine (*accessed via certlm.msc*) 217 - Trust: 218 - Trusted Root Certification Authorities 219 - Trusted People 220 - Enterprise Trust -> Enterprise -> Trusted Root Certification Authorities 221 - Enterprise Trust -> Enterprise -> Trusted People 222 - Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities 223 - Enterprise Trust -> Group Policy -> Trusted People 224 - Distrust: 225 - Untrusted Certificates 226 - Enterprise Trust -> Enterprise -> Untrusted Certificates 227 - Enterprise Trust -> Group Policy -> Untrusted Certificates 228 229- Current User (*accessed via certmgr.msc*) 230 - Trust: 231 - Trusted Root Certification Authorities 232 - Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities 233 - Distrust: 234 - Untrusted Certificates 235 - Enterprise Trust -> Group Policy -> Untrusted Certificates 236 237On **macOS**, the Chrome Certificate Verifier will automatically consume 238certificates added to the following certificate stores: 239 240- Default and System Keychains 241 - Trust: 242 - Any certificate where the "When using this certificate" flag is 243 set to "Always Trust" or 244 - Any certificate where the "Secure Sockets Layer (SSL)" flag is 245 set to "Always Trust." 246 247 - Distrust: 248 - Any certificate where the "When using this certificate" flag is 249 set to "Never Trust" or 250 - Any certificate where the "Secure Sockets Layer (SSL)" flag is 251 set to "Never Trust." 252 253### What about client authentication certificates? 254Historically, Chrome has integrated with platform certificate stores to 255support the use of client authentication certificates. This behavior is 256unchanged by the rollout of the Chrome Root Store and the Chrome 257Certificate Verifier. 258 259### Given the gradual rollout, how can I tell if these features are in use on my system? 260 261See these [testing instructions](testing.md). 262 263### How can I tell which certificates are trusted by the Chrome Root Store? 264The most recent version of the Chrome Root Store is available 265[here](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md). 266 267The Chrome Root Store is updated by Component Updater. To observe the 268contents of the Chrome Root Store in use by a version of Chrome where it 269has been [launched](#when-are-these-changes-taking-place): 270 2711. Navigate to `chrome://system` 2722. Click the `Expand`... button next to `chrome_root_store` 2733. *The contents of the Chrome Root Store will display* 274 275### What criteria does the Chrome Certificate Verifier use to evaluate certificates? 276The Chrome Certificate Verifier will apply standard processing to include 277checking: 278- the certificate's key usage and extended key usage are consistent with 279TLS use cases. 280- the certificate validity period is not in the past or future. 281- key sizes and algorithms are of known and acceptable quality. 282- whether mismatched or unknown signature algorithms are included. 283- that the certificate does not chain to or through a blocked CA. 284- conformance with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280). 285 286Chrome applies additional processing rules for certificates chaining to 287roots included in the Chrome Root Store, such as: 288- Certificate Transparency enforcement, and 289- maximum certificate validity enforcement as required by the CA/B Forum 290Baseline Requirements (i.e., 398 days or less). 291 292### What criteria does the Chrome Certificate Verifier use to build certificate paths? 293The Chrome Certificate Verifier was designed to follow path-building 294guidance established in [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158). 295 296### Where is the Chrome Root Store source code located? 297Source locations include 298[//net/data/ssl/chrome_root_store](/net/data/ssl/chrome_root_store), 299[//net/cert](/net/cert), [//services/cert_verifier](/services/cert_verifier), 300and [//chrome/browser/component_updater/](/chrome/browser/component_updater/). 301 302### Where is the Chrome Certificate Verifier source code located? 303Source locations include 304[//net/cert](/net/cert), [//net/cert/internal](/net/cert/internal), and 305[//net/cert/pki](/net/cert/pki).