Google has officially announced it will no longer trust digital certificates issued by Chunghwa Telecom and also by Netlock. This significant change is expected to be introduced in Chrome version 139, which is scheduled for public release in early August 2025. The update will affect all Transport Layer Security (TLS) server authentication certificates that are issued by these two Certificate Authorities. This applies specifically to certificates issued after July 31, 2025, at 11:59:59 p.m. UTC; older certificates will not be impacted. Chunghwa Telecom is Taiwan’s largest telecom provider, while Netlock is a Hungarian company offering various digital identity and authentication solutions.
This decision by Google stems from what it described as “patterns of concerning behavior observed over the past year” from both CAs. Google’s Chrome Root Program and Security Team stated they observed a pattern of compliance failures from these two Certificate Authorities. There were also unmet improvement commitments and an absence of tangible, measurable progress in response to publicly disclosed incident reports. Google explained that when these factors are considered in aggregate against the inherent risk each publicly-trusted CA poses, continued public trust is no longer justified. This move is meant to preserve the integrity of the Chrome Root Store and ensure the safety of all Chrome users globally.
As a direct result of this upcoming change, Chrome browser users across all platforms will encounter full-screen security warnings.
This includes users on Windows, macOS, ChromeOS, Android, and also Linux operating systems when they navigate to an affected site. This warning will appear if the site serves a certificate issued by either of the two CAs after the July 31st deadline. Website operators who currently rely on Chunghwa Telecom or Netlock are strongly recommended to use the Chrome Certificate Viewer. This tool will help them check the validity of their site’s certificates and transition to a new publicly-trusted CA soon. This transition should occur as soon as “reasonably possible” to avoid any significant user disruption or loss of visitor trust.
Enterprises, however, can choose to override these new Chrome Root Store constraints by installing the corresponding root CA certificate. They would install it as a locally-trusted root on the platform where Chrome is running, maintaining previous access if necessary. It is worth noting that Apple had previously distrusted a specific NetLock Root CA Certificate effective November 15, 2024, showing prior concerns. This current Google disclosure also follows a decision last year by Google Chrome, Apple, and Mozilla to no longer trust root CA certificates. Those were certificates signed by Entrust, highlighting ongoing efforts by browser vendors to enhance the security and trustworthiness of digital certificates.
Reference:
