Google Tightens Restrictions on TLS Certificate Usage for Enhanced Security

Google Enforces Stricter Root Certificate Policies for Enhanced Security

Since June 15, 2025, Google has implemented a new set of regulations concerning the use of root certificates stored within Chrome’s certificate store. Previously, these certificates could be employed for a variety of purposes, including code signing and secure messaging. However, the updated policy now strictly limits their function to server authentication during TLS connections. This move aims to tighten security and reduce potential misuse of root certificates.

New Requirements for Certificate Authorities and Their Hierarchies

Under this new framework, only certificate requests originating from authorities that belong to hierarchies compliant with the new policy are accepted. This means that a CA must either be part of a hierarchical PKI that has explicitly agreed to these rules or face restrictions. Before this policy change, it was still possible for CAs to use their root certificates for client authentication, but such practices are now restricted.

Upcoming Enforcement and Impacts on Non-Compliant Root Certificates

A further milestone is set for June 15, 2026. Beginning on this date, Google will impose SCTNotAfter constraints on root certificates linked to unsupported hierarchies. In practical terms, Chrome will stop trusting these certificates after 90 days unless they are replaced or reconfigured according to the new policies. If a root CA’s hierarchy doesn’t conform, Google advises that the CA may take certain actions at its discretion:

• Apply for inclusion under a new, compliant hierarchy (preferably by September 15, 2025)
• Revoke or reissue certificates that do not meet the new standards
• Request removal of non-compliant hierarchies from the Chrome store

To mitigate disruption within the ecosystem, exceptions to the SCTNotAfter constraint may be granted on a case-by-case basis. These exceptions will be reserved for cases where certificate owners submit a formal inclusion request for a replacement certificate before June 15, 2026.

Parallel Reduction in Certificate Validity Periods

Google’s policy adjustment extends beyond root certificates. Recently, the company contributed to a decision made within the CA/Browser Forum to gradually reduce the maximum validity periods for TLS certificates and associated registration information. This initiative aims to bolster trustworthiness in the TLS ecosystem.

This staged reduction aims to improve the overall reliability of certificates by limiting their lifespan, reducing the window of opportunity for malicious exploitation.

Changes Affecting Personal Data Certificates and Domain Names

The same trend applies to certificates used for identity verification and those associated with domain names or IP addresses, with maximum validity durations decreasing over time:

For domain names and IP addresses, the maximum reuse period is also decreasing, with certificates issued after March 15, 2029, being limited to just 10 days, emphasizing the focus on shorter validity spans to enhance security.

Google’s Rationale and Broader Goals

Google views these measures as critical steps toward boosting the overall security and trustworthiness of digital certificates. Shortening their lifespan reduces risks associated with compromised or misused certificates, such as the exploitation of orphaned domain names or other malicious activities. These policies collectively aim to make digital identity more reliable and resilient against evolving cyber threats.

Conclusion

With these sweeping changes—limiting root certificates to a specific purpose, enforcing compliance for hierarchical PKIs, and reducing certificate validity—Google is reinforcing its commitment to a safer web environment. While these regulations impose stricter standards, they are expected to lead to a more secure and trustworthy digital infrastructure for all users and organizations relying on TLS and digital certificates.