Google Chrome to Distrust TLS Certificates from Chunghwa Telecom and Netlock Starting August 2025
Google Chrome users, heads up! Starting with Chrome version 139, expected in early August 2025, Google Chrome will distrust certificates issued by two Certificate Authorities (CAs): Chunghwa Telecom and Netlock. This change will affect millions of users worldwide, resulting in security warnings when visiting websites that use certificates from these authorities.
Why is Google Distrusting These Certificate Authorities?
Google’s decision comes after repeated compliance failures and unmet security commitments by Chunghwa Telecom and Netlock over the past year. The Chrome Root Program and Security Team monitor certificate authorities closely to ensure they meet stringent industry standards to protect users from potential security risks like man-in-the-middle attacks.
When a CA fails to comply with these standards, Google can choose to distrust their certificates to maintain the overall security of the web.
What Does This Mean for Website Owners?
Starting August 1, 2025, any TLS certificates issued by Chunghwa Telecom and Netlock after July 31, 2025 will be distrusted by Chrome browsers. Users who visit websites with these certificates will see a full-screen security warning on all platforms supported by Chrome, including:
- Windows
- macOS
- ChromeOS
- Android
- Linux
This warning blocks access to the site unless the user proceeds despite the risks — something most visitors are unlikely to do.
Action Steps for Site Administrators:
- Check your current SSL/TLS certificates: Use tools like the Chrome Certificate Viewer to verify if your site’s certificate comes from Chunghwa Telecom or Netlock.
- Switch to a trusted CA: Migrate your SSL certificates to a reputable Certificate Authority that Google continues to trust, such as DigiCert, Sectigo, or Let’s Encrypt.
- Renew certificates before the deadline: Make sure any new certificates are issued before July 31, 2025, to avoid service disruptions.
- Inform your users if needed: If you anticipate downtime or issues during the transition, communicate proactively with your customers.
What About Enterprises and Organizations?
If your organization still relies on certificates from these distrusted CAs, there is a temporary workaround. You can install the root CA certificates as locally trusted roots on your devices or servers, allowing Chrome to accept those certificates internally. However, this is a temporary measure and is not recommended for public-facing websites.
Previous Similar Actions by Google
This move follows a similar distrust decision involving Entrust, another Certificate Authority that faced compliance issues and eventually sold its public certificate business to Sectigo in 2023. Google continuously monitors the certificate ecosystem to maintain the highest standards of internet security.
Final Thoughts
The internet’s trust system depends heavily on Certificate Authorities maintaining strict security and compliance standards. Google’s decision to distrust Chunghwa Telecom and Netlock certificates is a necessary step to protect Chrome users from insecure connections and potential cyber threats.
If you run a website, it’s crucial to stay updated on the status of your SSL/TLS certificates and act proactively to avoid any interruptions. Migrating to a trusted CA before August 2025 will ensure your users enjoy a safe and seamless browsing experience.
Frequently Asked Questions (FAQs)
Q1: How can I check which CA issued my website’s certificate?
You can use Chrome’s certificate viewer or online tools like SSL Labs’ SSL Test to find detailed information about your SSL certificate issuer.
Q2: Will other browsers also distrust these CAs?
While this announcement is specific to Google Chrome, other browsers may follow similar policies. It’s best to switch to trusted CAs proactively.
Q3: What is a Certificate Authority?
A Certificate Authority is a trusted organization that issues SSL/TLS certificates, which encrypt data and verify website identities for secure communication online.
