Chrome to Distrust Chunghwa Telecom and Netlock Certificates

Google on Friday announced that the Chrome Root Store will no longer trust digital certificates issued by Chunghwa Telecom and Netlock.

The change will be introduced in Chrome 139 and will impact all Transport Layer Security (TLS) server authentication certificates issued by the two Certificate Authorities (CAs) after July 31, 2025 11:59:59 PM UTC. Digital certificates issued before that time will not be affected.

The move, Google says, is the result of diminished confidence and reliability in Chunghwa Telecom and Netlock as CA Owners, due to “patterns of concerning behavior observed over the past year”.

“These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome,” Google says.

Over the past years, the company explains, Chunghwa Telecom and Netlock failed to meet compliance, did not meet improvement commitments, and did not make tangible progress in responding to publicly disclosed incident reports.

The decision to remove trust in the two CAs, the internet giant says, is meant to preserve the integrity of the Chrome Root Store and to ensure the safety of Chrome users.

Following the change, when navigating to a site serving a certificate issued by either of the two CAs after July 31, Chrome 139 users on Windows, Linux, macOS, Android, and ChromeOS will see a “potential security threat” warning.

To avoid disruptions, website operators are advised to use the Chrome Certificate Viewer to check the validity of their site’s certificates and to replace potentially affected certificates before July 31.

“While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Chunghwa Telecom or Netlock before Chrome’s blocking action begins on August 1, 2025, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google notes.

Chrome users and enterprises, the internet giant explains, can explicitly trust any of the potentially impacted certificates on Chrome versions that rely on the Chrome Root Store, which will override the upcoming constraints. For that, they need to install the corresponding root CA certificate as a locally-trusted root on the underlying operating system.

Related: Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities

Related: SSL.com Scrambles to Patch Certificate Issuance Vulnerability

Related: Internet Giants Agree to Reduce TLS Certificate Lifespan to 47 Days by 2029

Related: New Issuance Requirements Improve HTTPS Certificate Validation