Google is starting a new chapter of its road to independence as it announced the launch of its own root certificate authority.
This new move will make sure Google will stop relying on intermediate certificate authorities, GIAG2 in their case, issued by a third party. The company has been working on rolling out HTTPS across its products and services, and it seems it seeks a speedier method to do so and more control over the matter.
“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority,” writes Ryan Hurst, product manager at Google.
This is how Google Trust Services was born, an entity that will operate these Certificate Authorities on behalf of Google and Alphabet, their parent company.
This entire process will take time, however. Embedding root certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. Therefore, Google has acquired two existing Root Certificate Authorities - GlobalSign R2 and R4 - which will enable the company to begin issuing independent certificates in a speedy manner.
Old certificates to continue working
Google wants to continue the operation of their existing GIAG2 subordinate Certificate Authority for the time being.
“If you are building products that intend to connect to a Google property moving forward you need to at minimum include the above Root Certificates. With that said even though we now operate our own roots, we may still choose to operate subordinate CAs under third-party operated roots. If you are building products that intend to connect to a Google property moving forward you need to at minimum include the above Root Certificates. With that said even though we now operate our own roots, we may still choose to operate subordinate CAs under third-party operated roots,” Hurst adds.
Google advises developers seeking to connect to Google property to include a wide set of trusty roots in their products.