Google is known for slipping fingers in many pies, so it should not come as a surprise that it has opted for starting its own Root Certificate Authority.
With the increased implementation of HTTPS across their products, it makes sense for Google to wade in that particular pool. With this step, the company is also minimizing its dependency on other organization, and allowing its engineers to control issued certificated from start to finish.
“The process of embedding Root Certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later,” explained Ryan Hurst, a manager in Google’s Security and Privacy Engineering unit.
Until now, the company was operating its own subordinate Certificate Authority (GIAG2), issued by a third-party, to handle its SSL/TLS certificate needs. This CA will still be operated by Google, but a new entity – Google Trust Services – has been created to operate the new Root Certificate Authority.
In the announcement, Hurst said that its new Root CA will issue certificates on behalf of Google and parent company Alphabet. In a previous post on Mozilla’s bug-tracking system, he also noted that the new CA is a commercial CA that will provide certificates to customers from around the world.
“We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing,” he explained. “We will not require that customers have a domain registration with Google, use domain suffixes where Google is the registrant, or have other services from Google.”
The announced change won’t mean much to users of the various Google services – as long as a certificate is valid and doesn’t ring an alarm bell, it pretty much goes unnoticed.
On the other hand, developers who build products that connect to Google’s services will have to include the new Root Certificates.
“Google maintains a sample PEM file which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services,” Hurst pointed out.