Chrome will use its own ‘root store’ for certificates

Google is moving away from using root certificate stores in Chrome. The tech company is starting its own certificate program for the browser. That happens for all platforms, except for Apple’s iOS.

Chrome has always used the root stores of the underlying operating system on which the browser is installed. However, Google wants to use its own root store in the future, which the company wants to operate itself. The Chrome Root Program must ensure that certificates in the browser on every device meet the same requirements. Now there is sometimes a difference between the root stores that operating systems use, so that certificates can be approved on one operating system, but not on another. Google does not describe exactly how big that problem is. “The Chrome Root Program ensures that users have a consistent experience across platforms, that developers have a consistent understanding of Chrome’s behavior, and that Chrome can better protect users’ security and privacy,” the company said.

Certificate authorities can submit their certificates themselves to the Chrome Root Program. Google has set a number of requirements for this, such as that the CAs only issue TLS certificates and that they, for example, ‘have a general public discussion’ about matters such as audits. The company says it can individually assess CAs that don’t meet those requirements.

The Root Program works on all platforms except iOS. “Apple’s policy prevents the Chrome Root Store from using it on Chrome for iOS,” Google said. The company says a number of certificate authorities have already been selected to participate in the program. These are CAs that are already included in Mozilla’s Common CA Certificate Database. Google does not further write what timeline it uses to migrate to its own root store. It is therefore not known in which version of Chrome this change will be implemented or in what timeframe.