Last updated: June 1, 2024
Chrome uses digital certificates (often referred to as “certificates,” “HTTPS certificates,” or “server authentication certificates”) to ensure the connections it makes on behalf of its users are secure and private. Certificates bind a domain name to a public key, which Chrome uses to encrypt data sent to and from the corresponding website.
As part of establishing a secure connection to a website, Chrome verifies that a recognized system known as a “Certification Authority” (CA) issued its certificate. Certificates issued by a CA not recognized by Chrome or a user’s local settings can cause users to see warnings and error pages.
Root stores, sometimes called “trust stores,” tell operating systems and applications what certificates to trust.
The Chrome Root Store contains the set of certificates Chrome trusts by default.
Historically, Chrome integrated certificate verification processes with the platform it ran on. This resulted in inconsistent user experiences across platforms, making it difficult for developers to understand Chrome's expected behavior.
The launch of the Chrome Certificate Verifier addressed these concerns by applying a common certificate verification process across Windows, macOS, Chrome OS, Linux, and Android.
Note: Apple policies prevent the Chrome Certificate Verifier and corresponding Chrome Root Store from being used on Chrome for iOS.
The Chrome Root Store and Chrome Certificate Verifier were rolled out to Chrome users as described below.
| Chrome on...* | Rollout Began** | Enabled by Default |
|---|---|---|
| Android | Chrome 114 | Chrome 115 |
| Chrome OS | Chrome 114 | Chrome 114 |
| iOS*** | N/A | N/A |
| Linux | Chrome 114 | Chrome 114 |
| macOS | Chrome 105 | Chrome 108 |
| Windows | Chrome 105 | Chrome 108 |
Notes:
(*) Find Chrome browser system requirements here.
(**) During this release, users also had the opportunity to “opt-in” to these features, regardless of whether they were automatically enrolled in the rollout population.
(***) Apple policies prevent the Chrome Root Store and Chrome Certificate Verifier from being used on Chrome for iOS.
The Chrome Certificate Verifier considers locally-managed certificates during the certificate verification process. Consequently, if an enterprise distributes a root CA certificate as trusted to its users (for example, by a Windows Group Policy Object), it will be considered trusted in Chrome.
CA Owners who meet the Chrome Root Program policy requirements may apply for a CA certificate’s inclusion in the Chrome Root Store. CAs included in the Chrome Root Store are expected to adhere to the Chrome Root Program policy and continue to operate in a consistent and trustworthy manner. A CA owner’s failure to follow the requirements defined in the Chrome Root Program policy may result in a CA certificate’s removal from the Chrome Root Store, limitations on Chrome's acceptance of the certificates they issue, or other technical or policy restrictions.
If you believe the Chrome Certificate Verifier is not working as intended, submit a bug and attach a NetLog dump repeating the steps leading to the issue from a new Incognito window. Add a comment to route the bug to the Internals>Network>Certificate component for the fastest delivery to the appropriate triage team.
If you believe you've identified a Security Bug, follow these instructions.
An enterprise policy was available for a limited time in support of troubleshooting during the transition to the Chrome Root Store and Chrome Certificate Verifier.
This enterprise policy is now deprecated.
Chrome uses a “component updater” tool to push specific updates to browser components without updating the Chrome browser application. As root CA certificates are added or removed from the Chrome Root Store, or otherwise modified by the Chrome Root Store, the component updater will automatically propagate these changes to user endpoints without user action.
If your enterprise has disabled component updates, endpoints will only receive updated versions of the Chrome Root Store during Chrome browser application updates.
During routine operating conditions, the Chrome Root Store is updated approximately quarterly. However, aperiodic updates may take place to promote the safety and privacy of Chrome's users.
Yes.
On Windows, the Chrome Certificate Verifier automatically consumes certificates added to the following certificate stores:
Local Machine (accessed via certlm.msc)
Current User (accessed via certmgr.msc)
On macOS, the Chrome Certificate Verifier automatically consumes certificates added to the following certificate stores:
Trust:
Distrust:
Note: The Chrome Certificate Verifier does not rely on the contents of the default trust store shipped by the platform provider. When viewing the contents of a platform trust store, it‘s important to remember there’s a difference between an enterprise or user explicitly distributing trust for a certificate and inheriting that trust from the default platform root store. For example, on Windows, viewing the Trusted Root Certification Authorities trust store may present a specific CA certificate as trusted, but that certificate's trust is inherited from the Windows Certificate Trust List, observed by viewing the Trusted Root Certification Authorities\Third-Party trust store, rather than explicitly being distributed as trusted by an enterprise or user (observed in either of the Trusted Root Certification Authorities\Registry, Trusted Root Certification Authorities\Group Policy, or Trusted Root Certification Authorities\Enterprise trust stores).
Historically, Chrome has integrated with platform certificate stores to support the use of client authentication certificates. This behavior is unchanged by the rollout of the Chrome Root Store and the Chrome Certificate Verifier.
The most recent version of the Chrome Root Store is available here.
The Chrome Root Store is updated by Component Updater. To observe the contents of the Chrome Root Store in use by a version of Chrome:
chrome://systemExpand... button next to chrome_root_storeThe Chrome Certificate Verifier applies standard processing to include checking:
Chrome applies additional processing rules for certificates chaining to roots included in the Chrome Root Store, such as:
The Chrome Certificate Verifier was designed to follow path-building guidance established in RFC 4158.
Source locations include //net/data/ssl/chrome_root_store, //net/cert, //services/cert_verifier, and //chrome/browser/component_updater/.
Source locations include //net/cert, //net/cert/internal, and //net/cert/pki.