Do Son 
Beginning August 1, 2025, the Google Chrome browser will cease to automatically trust digital certificates issued by two major certificate authorities—Chunghwa Telecom and Netlock. This decision follows a series of policy violations and repeated failures by both organizations to fulfill their commitments to improving operational processes. The announcement was made in an official statement from Google.
Google emphasized that trust in these certificate authorities has been severely undermined after a year of recurring non-compliance, lack of transparency, and absence of demonstrable progress. The company underscored that such behavior is fundamentally incompatible with the standards expected of public CAs, whose certificates are, by default, trusted within Chrome.
Chunghwa Telecom, Taiwan’s largest telecommunications provider, operates the public certificate authorities ePKI and HiPKI, which issue certificates for HTTPS traffic encryption. Hungarian company Netlock is recognized for providing digital signatures, timestamps, and SSL certificates, including the widely used European root certificate Arany (Gold Class) Root CA.
Both organizations have, for years, been included in the Chrome Root Store—Google’s internal repository of trusted root certificates used to verify secure connections. However, following their removal from the Root Store, all websites relying on their certificates will trigger a “Your connection is not secure” warning in Chrome.
While users will still have the option to bypass the warning manually and proceed to such sites, this will inevitably degrade user experience and erode trust. To avoid disruption, site administrators are strongly encouraged to replace affected certificates with those issued by a trusted authority as soon as possible.
Certificates issued by Chunghwa Telecom and Netlock before July 31, 2025, will remain valid in Chrome until their expiration date. Nevertheless, Google strongly advises against delaying replacement, as any certificates issued by these authorities from August 1 onward will be rejected by the browser.
For enterprise environments, Google will continue to allow administrators to manually add certificates to the system’s local trust store, thereby maintaining internal resource compatibility.
It is important to note that this change will affect only Google Chrome users. Other browsers—Microsoft Edge, Mozilla Firefox, and Apple Safari—maintain independent trust stores and therefore will not automatically mirror Chrome’s behavior.
The removal of Chunghwa Telecom and Netlock is a continuation of Google’s uncompromising stance on tightening governance within the public CA ecosystem. Similar action was taken against Entrust in June 2024, with enforcement beginning in November. At the time, Google cited a series of incidents dating back to 2018 that indicated persistent failures to uphold security standards and an inability to demonstrate meaningful reform.
In March 2025, Google introduced new mandatory requirements for all certificate authorities issuing HTTPS/TLS certificates, affirming its intent to elevate the standards of trust. The cases of Chunghwa Telecom and Netlock now stand as the first practical applications of these revised policies—and, it is expected, they will not be the last. Past controversies involving certificate authorities—such as Chinese CAs erroneously issuing certificates for unauthorized domains—underscore the critical importance of rigorous oversight. As modern applications increasingly rely on certificate chains to ensure secure communications, the role of browser-enforced trust policies has never been more vital.
Donate