Starting August 1, 2025, Google Chrome will no longer trust TLS certificates issued by Chunghwa Telecom (Taiwan) and NetLock (Hungary) due to repeated compliance failures. This change, announced in Chrome version 139+, will affect new certificates issued after July 31, 2025, triggering full-page security warnings for affected websites while leaving existing certificates valid until expiration1.
Technical Details of the Distrust Decision
The affected root CA certificates include three specific issuers: Chunghwa Telecom’s ePKI Root Certification Authority and HiPKI Root CA – G1, along with NetLock’s Class Gold Főtanúsítvány certificate2. Google’s decision follows a pattern of non-compliance with the CA/Browser Forum Baseline Requirements, which establish minimum security standards for certificate authorities. The Chrome Security Team identified unresolved issues despite previous warnings, leading to this enforcement action.
Enterprise environments can override this distrust through Group Policy settings or local certificate stores in Chrome 127 and later versions. This exemption allows organizations with legacy systems to maintain operations while planning their migration to alternative certificate authorities. However, this workaround isn’t recommended for general web traffic due to potential security risks3.
Impact Assessment and Mitigation Strategies
Website operators using certificates from these authorities must transition to other CAs listed in the Chrome Root Store before the August deadline. The most immediate impact will be visible in Chrome’s security interface, where affected sites will display warnings that may deter visitors. System administrators can test the upcoming changes using Chrome’s command-line flag --test-crs-constraints to simulate the distrust behavior before it becomes mandatory4.
Certificate verification can be performed through Chrome’s Developer Tools under the Security tab, where the issuer details will show either “Chunghwa Telecom” or “NetLock” for affected certificates. This change doesn’t affect iOS devices, which use Apple’s separate root certificate store. The distrust action follows similar precedents, most notably Google’s 2018 decision to distrust Symantec certificates after widespread compliance issues5.
Security Implications and Best Practices
This enforcement action highlights Chrome’s increasingly strict approach to certificate authority oversight. Organizations should review their certificate chains to identify any dependencies on the affected CAs. The Chrome Root Program Policy provides detailed guidance on acceptable practices and compliance expectations for certificate authorities6.
Common SSL errors that may emerge from this change include certificate trust failures and security warnings. Recommended solutions include updating system time settings, renewing certificates with trusted authorities, and disabling antivirus HTTPS scanning when it interferes with legitimate certificates. Regular certificate audits and proactive renewal strategies can prevent similar disruptions in the future7.
Conclusion
Google’s decision to distrust these certificate authorities reinforces the importance of maintaining strict security standards in public key infrastructure. While the change may cause temporary disruptions, it ultimately strengthens web security by removing trust from non-compliant issuers. Organizations should complete their certificate migrations well before the August deadline to avoid service interruptions and maintain user trust in their online properties.
References
- “Sustaining digital certificate security: Chrome Root Store changes,” Google Security Blog, May 30, 2025. [Online]. Available: https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html
- “Google Chrome to distrust Chunghwa Telecom, NetLock TLS certificates,” SecurityOnline, May 31, 2025. [Online]. Available: https://securityonline.info/google-chrome-to-distrust-chunghwa-telecom-netlock-tls-certificates/
- @the_yellow_fall, “Chrome root store updates,” Twitter, May 30, 2025. [Online]. Available: https://x.com/the_yellow_fall/status/1928632036136464723
- D. Ross, “Google Chrome to distrust Chunghwa Telecom,” LinkedIn, May 31, 2025. [Online]. Available: https://www.linkedin.com/posts/dlross_google-chrome-to-distrust-chunghwa-telecom-activity-7334746968650350593-ZndN
- “How to view SSL/TLS certificate details in Chrome 56+,” Entrust. [Online]. Available: https://www.entrust.com/knowledgebase/ssl/how-to-view-ssl-tls-certificate-details-in-chrome-56
- “Manage certificates in Chrome,” Google Support. [Online]. Available: https://support.google.com/chrome/a/answer/6342302
- “Fix Chrome SSL errors,” SSL2Buy. [Online]. Available: https://www.ssl2buy.com/wiki/fix-chrome-ssl-error-cannot-connect-to-real-google-com
