List of Trusted Certificate Authorities in Chrome
When you’re browsing the internet, security is a top priority, and one of the main protectors of online security is a Certificate Authority (CA). These entities issue digital certificates that verify a website’s identity, ensuring your connection to it is secure. Google Chrome, one of the world’s most popular web browsers, maintains a list of trusted CAs to guard users against various online threats. In this extensive guide, we’ll dive into what CAs are, how they work, and most importantly, we’ll provide a comprehensive list of trusted root certification authorities in Chrome.
Key Takeaways:
- Chrome relies on a pre-installed list of trusted certificate authorities (CAs) to verify the identity of websites. This ensures sites are who they claim to be.
- The trusted CA list includes organizations like DigiCert, GoDaddy, GlobalSign, etc. There are about 200 authorities Chrome trusts by default.
- Certificates issued by a trusted CA allow sites to use HTTPS and enable encrypted data transfer between the browser and site.
- Users cannot manually modify the trusted CA list in Chrome. However, Chrome updates this list automatically based on the CA/Browser Forum’s decisions.
- Site owners must purchase SSL certificates from a reputable CA like DigiCert or GoDaddy to activate HTTPS on their site and assure users that their site is secure.
- If users see SSL certificate warnings in Chrome, it likely means the site’s certificate is invalid, expired, self-signed, or issued by a non-trusted CA.
What is a Certificate Authority in Chrome?
A certificate authority (CA) is an organization that issues SSL certificates to websites after validating their identity.
Chrome relies on a list of trusted third-party CAs to verify the authenticity of sites that users visit.
Here is the validation process in a nutshell:
- A website applies for an SSL certificate from a trusted CA like DigiCert or Sectigo.
- The CA will verify that the company or person requesting the certificate actually owns that domain.
- Once the applicant’s identity is validated, the CA will issue a trusted SSL certificate for that domain.
- The website installs this trusted certificate on their servers.
- When users visit the site in Chrome, the browser recognizes the trusted CA that issued the site’s certificate.
- Chrome then allows an encrypted HTTPS connection to be established securely without any warnings.
Without trusted CAs, Chrome has no way to verify if a website is who it claims to be. This mechanism is crucial for encrypted browsing.
Why Does Chrome Maintain a List of Trusted CAs?
There are a few important reasons why Chrome keeps a list of trusted certificate authorities:
Validate Site Identity
The main purpose of the trusted CA list is to validate website identity and enable secure HTTPS connections in Chrome.
When Chrome encounters an SSL certificate issued by a trusted CA, it can independently verify that the CA did its due diligence in ensuring the site is legitimate. This allows Chrome to display the green padlock and prevent man-in-the-middle attacks.
Allow Encrypted Connections
Trusted certificates are required to establish an encrypted HTTPS connection between the browser and site.
Data sent between the user and website over HTTPS is protected against eavesdroppers and tampering through SSL/TLS encryption protocols. This secure connection is only possible after Chrome approves the site’s trusted certificate.
Warn Users of Risks
Without a predefined list of trusted authorities, Chrome has no way to distinguish good certificates from bad.
Maintaining its own list allows Chrome to display clear warnings when sites present unfamiliar, misissued, or self-signed certificates to protect users from threats.
Comply with Industry Standards
The trusted CA list also allows Chrome to conform to industry standards for trusted certificates. This includes guidelines like the CA/Browser Forum Baseline Requirements that CAs must adhere to.
By enforcing these standards, Chrome ensures stronger security and reliability for users browsing the web.
Support CA Accountability
In rare cases where a trusted CA is compromised, Chrome can respond by removing them from the list and revoking their certificates.
This increases accountability for CAs to protect their infrastructure in order to remain trusted by major browsers.
Who are the Trusted CAs in Chrome’s List?
Chrome’s pre-installed list currently contains about 200 trusted root certification authorities in Chrome browser. This list encompasses all the major CAs that issue SSL certificates for public websites.
Some of the most common trusted CAs include:
- DigiCert: One of the largest SSL certificate authorities in the industry today. They issue high-assurance EV certificates to sites like Microsoft, Facebook, etc.
- GoDaddy: A popular domain registrar that also offers a variety of SSL certificates at low cost. Well known for consumer certificates.
- GlobalSign: An international CA that issues OV and EV certificates in over 150 countries worldwide.
- Let’s Encrypt: A non-profit CA that provides free basic DV certificates to websites via an automated issuance process.
- Network Solutions: Owned by Web.com, they offer a range of business certificates from domain validation to extended validation.
- Sectigo: Previously known as Comodo CA, they offer SSL certificates in various validation levels.
- Entrust: Known for their high-security extended validation certificates issued to major corporations.
- SwissSign: A Swiss CA that adheres to the country’s strict privacy laws and offers EV certificates.
- VeriSign Class 3: The root CA of Symantec, Verisign, Norton, and GeoTrust. Offers domain validated SSL certificates.
- QuoVadis: A European CA providing various SSL certificates including qualified certificates for the eIDAS regulation.
- IdenTrust: Issues certificates mainly to U.S. federal, state, and local government entities.
What Kinds of Certificates Do Trusted CAs Provide?
Trusted Root Certification Authorities in Chrome list issue different classes of SSL certificates depending on the validation level:
Domain Validated (DV) Certificates
- Validates ownership of the domain only. Issued within minutes.
- Enables HTTPS and padlock but no business identity verification.
- Ideal for personal websites, blogs, and small business sites.
Organization Validated (OV) Certificates
- Validates domain ownership and authenticates the business’s identity.
- Displays organization information in Chrome’s URL bar.
- Provides more trust than DV certificates.
- Recommended for company sites that handle sensitive data.
Extended Validation (EV) Certificates
- Highest level of validation including full business and legal vetting.
- Displays company identity in green in the browser bar.
- Used by major corporations and financial institutions.
- Provides maximum assurance to website visitors.
All these certificate types issued by Chrome’s trusted authorities allow sites to activate HTTPS with the padlock and secure browsing indicators.
But only OV SSL certificates and EV SSL certificates will display verified organization information visible to users in the browser chrome.
How To Check Chrome’s Pre-Installed CA List
Chrome stores its list of trusted root authorities in a pre-installed read-only database.
To view the full list of CAs that your Chrome browser trusts by default:
On Windows/Linux:
- Click the 3-dot menu > Settings
- Scroll down and click Advanced
- Under the Privacy and security section, click Manage certificates
- Go to the Trusted Root Certification Authorities tab
- Review the long list of pre-installed trusted root CAs
On macOS:
- Click Chrome > Preferences
- Click Advanced
- Under the HTTPS/SSL section, click Manage certificates
- Go to the Trusted Root Certification Authorities tab
- Review the long list of pre-installed trusted root CAs
Can Users Modify the Trusted CA List Manually?
No, Chrome does not allow users to manually add, remove, or modify which root authorities are on the trusted CA list.
Only Google developers have the ability to push updates to the Chrome trusted CA list based on industry standards and the CA/Browser Forum’s guidelines.
This is by design to prevent individual users from lowering their security by arbitrarily trusting extra certificates. It would also be impossible to securely distribute customized CA lists to millions of Chrome users.
So, the CA list ships as a pre-installed read-only database inside Chrome. The only way to modify it is through official Chrome updates from Google.
If you personally don’t trust a CA that Chrome includes, there is no way to selectively remove or untrust it as an individual user.
How Does Chrome Update its CA List?
The Chrome trusted CA list is automatically updated using the following methods:
Chrome Auto-Updates
Chrome auto-updates itself on a regular basis (every 2-3 days). This allows Chrome developers to push new CA certificates or remove compromised authorities via the Chrome update process.
Any change to the trusted CA list will be distributed to all Chrome users seamlessly through background auto-updates. Most users don’t even notice when the trusted CA database is modified.
Consensus Policy
Google also adheres to policies set by the CA/Browser Forum when deciding which CAs belong on the trusted list. This industry group consisting of CAs and major browsers convenes to establish CA standards and guidelines.
When the Forum votes to remove or distrust a CA’s root certificate, Chrome will push an update to align with this consensus policy and protect its users.
Emergency Updates
In rare cases where a trusted CA experiences a major security breach, Chrome may also push an emergency update outside their normal update schedule to address the issue quickly.
This allows them to revoke trust in the compromised CA before attackers can exploit the situation at scale.
Thanks to auto-updates, consensus policies, and emergency response capabilities, Chrome is able to maintain a robust and up-to-date trusted CA list that users can rely on for their HTTPS security.
What Happens if a Trusted CA is Compromised?
In the rare scenario where one of Chrome’s trusted CAs experiences a breach or failure, Chrome will respond by:
Investigating the Issue
The Chrome team will work with the CA to understand the extent of the failure and determine if the CA still meets the necessary security requirements to remain trusted.
Revoking Trust if Necessary
If the issue is severe enough to meaningfully impact the CA’s trustworthiness, Chrome will revoke trust in that CA’s root certificate.
Pushing an Update
An update will be pushed via auto-update to remove the compromised CA from the trusted list on all Chrome browsers.
Remediation Plan
The problematic CA must then fix their security vulnerabilities and re-apply to be included on the trusted list again.
This sequence of investigation, revocation, updates, and remediation allows Chrome to maintain the integrity of their trusted CA list when incidents occur.
Some examples of past emergency CA trust revocations include WoSign and StartCom.
What To Do If You See SSL Certificate Warnings
If you visit a site in Chrome and see SSL certificate warnings like:
- “Your connection is not private”
- “NET::ERR_CERT_AUTHORITY_INVALID“
- Red lock icon
This typically means the site’s certificate is either:
- Self-signed rather than issued by a trusted CA
- Issued by a root CA not in Chrome’s pre-installed list
- Expired and needs to be renewed
The warning is Chrome’s way of protecting you against potential risks.
To resolve the issue:
- Contact the site owner and inform them of the invalid SSL certificate.
- The owner will need to purchase a certificate from a trusted CA recognized by Chrome.
- Common trusted options include DigiCert, GoDaddy, GlobalSign, etc.
- Once the trusted certificate is installed, the warnings should disappear.
If the warnings persist even after the site installs a certificate from a trusted CA, they will need to further investigate the technical configuration on their web server that may be causing Chrome to reject their certificate as invalid.
Conclusion on Trusted Root Certification Authorities in Chrome
Chrome has a pre-installed list of trusted certificate authorities that it uses to verify the validity of TLS/SSL certificates when browsing HTTPS websites. This list contains over 200 root CA certificates from major certificate authorities like VeriSign, DigiCert, GoDaddy, GlobalSign, and Sectigo. Certificate authorities issue SSL/TLS certificates to websites after validating their identity.
Having a pre-installed list allows Chrome to seamlessly verify certificates without needing user intervention. The list is curated and updated by Google to ensure it only includes reputable CAs that follow best practices. Overall, this trusted root CA store allows Chrome to securely connect to HTTPS sites and protect users from man-in-the-middle attacks when browsing the web.
Trusted Root Certification Authorities in Chrome FAQs
How many certificate authorities does Chrome trust by default?
Chrome trusts around 200 different root CAs by default through its pre-installed read-only list. This covers all the major certificate authorities responsible for issuing SSL certificates publicly trusted on the internet today.
Who decides which CAs are trusted by Chrome?
Google Chrome developers maintain the list based on industry guidelines and standards established by the CA/Browser Forum. This governing body votes on policies for CA trust and revocation when incidents occur.
What is a self-signed certificate?
A self-signed certificate is signed by its own creator rather than a trusted CA. Chrome will warn users not to trust self-signed certificates since their authenticity can’t be verified.
Can I download and install custom CA certificates into Chrome?
No, the Chrome trusted CA list cannot be customized or modified by users themselves. The only way to update the list is through official Chrome updates from Google.
How can I tell if a site uses an SSL certificate from a trusted CA?
If the site has a green padlock and the url starts with “https://” it means the site is using a valid trusted certificate. The CA name may also be visible by clicking the lock icon.
What should I do if a site has an untrusted certificate warning?
Notify the site owner about the invalid certificate. They will need to install a trusted SSL certificate issued by a CA in Chrome’s default list like DigiCert or Comodo.
Why does Chrome distrust WoSign and StartCom?
These two CAs were removed from Chrome’s list due to major security incidents that called their trustworthiness into question based on industry policies.
How often does Chrome update its trusted CA list?
Chrome updates its CA list automatically alongside routine browser updates that occur every 2-3 days in the background. Emergency updates may also be pushed if a severe CA incident warrants immediate revocation.