Google has revealed that it no longer trusts to cite digital certificates issued by Chunghwa Telecom and Netlock and “patterns of patterns relating to behavior observed over the past year.”
The change is expected to be introduced in Chrome 139, which is scheduled to be released in early August 2025. The current major version is 137.
This update affects all Transport Layer Security (TLS) server authentication certificates issued by two Certificate Authorities (CAS) after 11:599:59 PM UTC on July 31, 2025. Certificates issued prior to that day will not be affected.
Chunghwa Telecom is Taiwan’s largest integrated telecom service provider, and NetLock is a Hungarian company offering digital identity, digital signatures, timestamping and authentication solutions.
“We have observed over the past few months and years that there have been no specific, measurable progress in response to compliance obstacles, unmet improvement commitments, and published incident reports,” said Google’s Chrome Root program and the Chrome Security team.
“When these factors are taken into account in the tally and taken into account for inherent risks, each publicly trusted CA brings to the Internet.
As a result of this change, Chrome browser users on Windows, MacOS, Chromeos, Android and Linux who are redirected to a site that provides certificates issued by one of the two CASs after July 31st will receive a full-screen security warning.
Website operators relying on two CASs are recommended to use Chrome Certificate Viewer to check the validity of the site’s certificates and move to a new published CA as soon as possible to avoid user destruction.
However, companies can override these chrome root store constraints by installing the corresponding root CA certificate as locally trusted root on the platform on which Chrome is running. It is worth noting that Apple has distrust of its root CA certificate, “Netlock Arany (class Gold) főtanúsítvány” on November 15th, 2024.
This disclosure comes after Google Chrome, Apple, and Mozilla decided to no longer trust root CA certificates that were delegated and signed as of November 2024. The delegation then sold the certificate business to Sectigo.
Earlier this March, Google also revealed that the CA/Browser Forum had adopted roughness as a necessary practice of multi-perse environment issuance (MPIC) and baseline requirements (BRS) to validate and flag domain control for X.509 certificates.
