1# Frequently Asked Questions 2Last updated: June 1, 2024 3 4[TOC] 5 6## General Questions 7 8### What is the Chrome Root Store? 9Chrome uses 10[digital certificates](https://en.wikipedia.org/wiki/Public_key_certificate) 11(often referred to as “certificates,” “HTTPS certificates,” or “server 12authentication certificates”) to ensure the connections it makes on behalf 13of its users are secure and private. Certificates bind a domain name to a 14public key, which Chrome uses to encrypt data sent to and from the 15corresponding website. 16 17As part of establishing a secure connection to a website, Chrome verifies 18that a recognized system known as a “Certification Authority” (CA) issued 19its certificate. Certificates issued by a CA not recognized by Chrome or a 20user’s local settings can cause users to see warnings and error pages. 21 22Root stores, sometimes called “trust stores,” tell operating systems and 23applications what certificates to trust. 24 25The 26[Chrome Root Store](https://g.co/chrome/root-store) contains the set of 27certificates Chrome trusts by default. 28 29### What is the Chrome Certificate Verifier? 30Historically, Chrome integrated certificate verification processes with 31the platform it ran on. This resulted in inconsistent user experiences 32across platforms, making it difficult for developers to understand 33Chrome's expected behavior. 34 35The launch of the Chrome Certificate Verifier addressed these concerns by 36applying a common certificate verification process across Windows, macOS, 37Chrome OS, Linux, and Android. 38 39**Note:** Apple policies prevent the Chrome Certificate Verifier and 40corresponding Chrome Root Store from being used on Chrome for iOS. 41 42### When did these features land? 43The Chrome Root Store and Chrome Certificate Verifier were rolled out to 44Chrome users as described below. 45 46| Chrome on...\* | Rollout Began\*\* | Enabled by Default | 47| --------------- | ------------------------------------ | ------------------------------------ | 48| Android | Chrome 114 | Chrome 115 | 49| Chrome OS | Chrome 114 | Chrome 114 | 50| iOS\*\*\* | N/A | N/A | 51| Linux | Chrome 114 | Chrome 114 | 52| macOS | Chrome 105 | Chrome 108 | 53| Windows | Chrome 105 | Chrome 108 | 54 55**Notes:**<br> 56(\*) Find Chrome browser system requirements [here.](https://support.google.com/chrome/a/answer/7100626) 57 58(\*\*) During this release, users also had the opportunity to "opt-in" to 59these features, regardless of whether they were automatically enrolled in 60the rollout population. 61 62(\*\*\*) Apple policies prevent the Chrome Root Store and Chrome 63Certificate Verifier from being used on Chrome for iOS. 64 65### How do these features impact "enterprise", "private", or "only-locally trusted" certificates? 66The Chrome Certificate Verifier 67[considers](#does-the-chrome-certificate-verifier-consider-local-trust-decisions) 68locally-managed certificates during the certificate verification process. 69Consequently, if an enterprise distributes a root CA certificate as 70trusted to its users (for example, by a Windows Group Policy Object), it 71will be considered trusted in Chrome. 72 73### How can I apply for my CA's inclusion in the Chrome Root Store? 74CA Owners who meet the Chrome Root Program 75[policy](https://g.co/chrome/root-policy) requirements may apply for a CA 76certificate’s inclusion in the Chrome Root Store. CAs included in the 77Chrome Root Store are expected to adhere to the Chrome Root Program policy 78and continue to operate in a consistent and trustworthy manner. A CA 79owner’s failure to follow the requirements defined in the Chrome Root 80Program policy may result in a CA certificate’s removal from the Chrome 81Root Store, limitations on Chrome's acceptance of the certificates they 82issue, or other technical or policy restrictions. 83 84## Support and Troubleshooting 85 86### Where can I report an issue? 87If you believe the Chrome Certificate Verifier is not working as intended, 88submit a [bug](https://bugs.chromium.org/p/chromium/issues/entry) and 89attach a 90[NetLog dump](https://www.chromium.org/for-testers/providing-network-details/) 91repeating the steps leading to the issue from a new Incognito window. Add 92a comment to route the bug to the Internals>Network>Certificate component 93for the fastest delivery to the appropriate triage team. 94 95If you believe you've identified a Security Bug, follow 96[these](https://www.chromium.org/Home/chromium-security/reporting-security-bugs/) 97instructions. 98 99### Can I revert to the platform root store and verifier? 100An 101[enterprise policy](https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled) 102was available for a limited time in support of troubleshooting during the 103transition to the Chrome Root Store and Chrome Certificate Verifier. 104 105This enterprise policy is now deprecated. 106 107## Additional Information for Administrators, Engineers, and Power Users 108 109### How is the Chrome Root Store updated? 110Chrome uses a "[component updater](https://chromium.googlesource.com/chromium/src/+/lkgr/components/component_updater/README.md)" 111tool to push specific updates to browser components without updating the 112Chrome browser application. As root CA certificates are added or removed 113from the Chrome Root Store, or otherwise modified by the Chrome Root 114Store, the component updater will automatically propagate these changes to 115user endpoints without user action. 116 117If your enterprise has [disabled](https://chromeenterprise.google/policies/?policy=ComponentUpdatesEnabled) 118component updates, endpoints will only receive updated versions of the 119Chrome Root Store during Chrome browser application updates. 120 121During routine operating conditions, the Chrome Root Store is updated 122approximately quarterly. However, aperiodic updates may take place to 123promote the safety and privacy of Chrome's users. 124 125### Does the Chrome Certificate Verifier consider local trust decisions? 126 127Yes. 128 129On **Windows**, the Chrome Certificate Verifier automatically consumes 130certificates **added** to the following certificate stores: 131 132- Local Machine (*accessed via certlm.msc*) 133 - Trust: 134 - Trusted Root Certification Authorities 135 - Trusted People 136 - Enterprise Trust -> Enterprise -> Trusted Root Certification Authorities 137 - Enterprise Trust -> Enterprise -> Trusted People 138 - Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities 139 - Enterprise Trust -> Group Policy -> Trusted People 140 - Distrust: 141 - Untrusted Certificates 142 - Enterprise Trust -> Enterprise -> Untrusted Certificates 143 - Enterprise Trust -> Group Policy -> Untrusted Certificates 144 145- Current User (*accessed via certmgr.msc*) 146 - Trust: 147 - Trusted Root Certification Authorities 148 - Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities 149 - Distrust: 150 - Untrusted Certificates 151 - Enterprise Trust -> Group Policy -> Untrusted Certificates 152 153On **macOS**, the Chrome Certificate Verifier automatically consumes 154certificates **added** to the following certificate stores: 155 156- Default and System Keychains 157 - Trust: 158 - Any certificate where the "When using this certificate" flag is 159 set to "Always Trust" or 160 - Any certificate where the "Secure Sockets Layer (SSL)" flag is 161 set to "Always Trust." 162 163 - Distrust: 164 - Any certificate where the "When using this certificate" flag is 165 set to "Never Trust" or 166 - Any certificate where the "Secure Sockets Layer (SSL)" flag is 167 set to "Never Trust." 168 169**Note:** The Chrome Certificate Verifier **does not** rely on the 170contents of the default trust store shipped by the platform provider. 171When viewing the contents of a platform trust store, it's important to 172remember there's a difference between an enterprise or user explicitly 173distributing trust for a certificate and inheriting that trust from the 174default platform root store. For example, on Windows, viewing the 175```Trusted Root Certification Authorities``` trust store may present a 176specific CA certificate as trusted, but that certificate's trust is 177inherited from the Windows Certificate Trust List, observed by viewing 178the ```Trusted Root Certification Authorities\Third-Party``` trust store, 179rather than explicitly being distributed as trusted by an enterprise or 180user (observed in either of the ```Trusted Root Certification 181Authorities\Registry```, ```Trusted Root Certification Authorities\Group 182Policy```, or ```Trusted Root Certification Authorities\Enterprise``` 183trust stores). 184 185### What about client authentication certificates? 186Historically, Chrome has integrated with platform certificate stores to 187support the use of client authentication certificates. This behavior is 188unchanged by the rollout of the Chrome Root Store and the Chrome 189Certificate Verifier. 190 191### How can I tell which certificates are trusted by the Chrome Root Store? 192The most recent version of the Chrome Root Store is available 193[here](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md). 194 195The Chrome Root Store is updated by Component Updater. To observe the 196contents of the Chrome Root Store in use by a version of Chrome: 197 1981. Navigate to ```chrome://system``` 1992. Click the ```Expand...``` button next to `chrome_root_store` 2003. *The contents of the Chrome Root Store will display* 201 202### What criteria does the Chrome Certificate Verifier use to evaluate certificates? 203The Chrome Certificate Verifier applies standard processing to include 204checking: 205- the certificate's key usage and extended key usage are consistent with 206TLS use cases. 207- the certificate validity period is not in the past or future. 208- key sizes and algorithms are of known and acceptable quality. 209- whether mismatched or unknown signature algorithms are included. 210- that the certificate does not chain to or through a blocked CA. 211- conformance with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280). 212 213Chrome applies additional processing rules for certificates chaining to 214roots included in the Chrome Root Store, such as: 215- Certificate Transparency enforcement, and 216- maximum certificate validity enforcement as required by the CA/B Forum 217Baseline Requirements (i.e., 398 days or less). 218 219### What criteria does the Chrome Certificate Verifier use to build certificate paths? 220The Chrome Certificate Verifier was designed to follow path-building 221guidance established in [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158). 222 223### Where is the Chrome Root Store source code located? 224Source locations include 225[//net/data/ssl/chrome_root_store](/net/data/ssl/chrome_root_store), 226[//net/cert](/net/cert), [//services/cert_verifier](/services/cert_verifier), 227and [//chrome/browser/component_updater/](/chrome/browser/component_updater/). 228 229### Where is the Chrome Certificate Verifier source code located? 230Source locations include 231[//net/cert](/net/cert), [//net/cert/internal](/net/cert/internal), and 232[//net/cert/pki](/net/cert/pki).