Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing “patterns of concerning behavior observed over the past year.”
The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137.
The update will affect all Transport Layer Security (TLS) server authentication certificates issued by the two Certificate Authorities (CAs) after July 31, 2025, 11:59:59 p.m. UTC. Certificates issued before that date will not be impacted.
Chunghwa Telecom is Taiwan’s largest integrated telecom service provider and Netlock is a Hungarian company that offers digital identity, electronic signature, time stamping, and authentication solutions.
“Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” Google’s Chrome Root Program and the Chrome Security Team said.
“When these factors are considered in the aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”
As a result of this change, Chrome browser users on Windows, macOS, ChromeOS, Android, and Linux who navigate to a site serving a certificate issued by either of the two CAs after July 31, will be served a full-screen security warning.
Website operators who rely on the two CAs are recommended to use the Chrome Certificate Viewer to check the validity of their site’s certificates and transition to a new publicly-trusted CA as soon as “reasonably possible” to avoid any user disruption.
Enterprises, however, can override these Chrome Root Store constraints by installing the corresponding root CA certificate as a locally-trusted root on the platform Chrome is running. It’s worth noting that Apple has distrusted the Root CA Certificate “NetLock Arany (Class Gold) Főtanúsítvány” effective November 15, 2024.
The disclosure comes after Google Chrome, Apple, and Mozilla decided to no longer root CA certificates signed by Entrust as of November 2024. Entrust has since sold off its certificate business to Sectigo.
Earlier this March, Google revealed that the CA/Browser Forum adopted Multi-Perspective Issuance Corroboration (MPIC) and Linting as required practices in the Baseline Requirements (BRs) to enhance domain control validation and flag insecure practices in X.509 certificates.
