Google Cloud services are switching Certificate Authority
Adam Langley
Software Engineer
Earlier this year, Google announced that we had established Google Trust Services to operate our own Root Certificate Authority on behalf of Google and Alphabet. Preparations are proceeding apace and customers that rely on Google services—including Google Cloud services such as Compute Engine, Gmail and others—should be aware that Google will soon begin using a different Certificate Authority (CA). We expect this to have no impact for the vast majority of customers.
Google commonly uses TLS (previously known as SSL) to secure communications between Google services and our users. As part of TLS, a server is required to provide proof of its identity in the form of a certificate that's signed by a CA. Google has long used certificates ultimately issued by the CA “GeoTrust.”
In the coming months, Google will begin using the GlobalSign R2 CA (“GS Root R2”). As it's a well-established and commonly trusted root CA, we expect minimal disruption to clients. However, for TLS clients that operate with custom root stores, we recommend that customers and application vendors ensure that their applications trust at least our minimum root set (PEM file).
The Google Trust Services home page contains links for customers and application vendors to test support for Google-operated roots, including GS Root R2. However, because we may use other roots in the future, customers should use the aforementioned root set and not simply the specific roots currently listed there.
More generally, a reasonable root set is not the only factor in ensuring that TLS clients continue to function over time. TLS clients should also meet these requirements to ensure minimal disruption:
- Support for TLS 1.2.
- A Server Name Indication (SNI) extension that contains the domain that's being connected to.
- Support for the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 using the NIST P-256 curve (a.k.a “secp256r1”) and uncompressed points.
- At a minimum, trust the certificates listed at https://pki.goog/roots.pem.
- Support for DNS Subject Alternative Names (SANs) by the certificate verifier, where SANs may include a single wildcard as the left-most label in the domain name.