Chrome will soon have its own dedicated certificate root store

Currently, Chrome uses the certificate root store part of each operating system. Google plans to manage its own list of "approved" certificates from now on, similar to Firefox.

website-certificate-lock-https.jpg

Image: Christiaan Colen (Flickr)

Google has announced plans to run its own certificate root program/store for Chrome, in a major architectural shift for the company's web browser program.

A "root program" or a "root store" is a list of root certificates that operating systems and applications use to verify the identity of a software program during its installation routine.

Browsers like Chrome use root stores to check the validity of an HTTPS connection.

They do this by looking at the website's TLS certificate and checking if the root certificate that was used to generate the TLS cert is included in the local root program/store.

Chrome will shift from OS root store to its own

Since its launch in late 2009, Chrome was configured to use the "root store" of the underlying platform. For example, Chrome on Windows checked a site's TLS certificate against the Microsoft Trusted Root Program, the root store that ships with Windows; Chrome on macOS relied on the Apple Root Certificate Program; and so on.

But in a wiki page, shared with ZDNet by one of our readers, Google announced plans to create its own root store, named the Chrome Root Program, that will ship with all versions of Chrome, on all platforms, except iOS.

The program is currently in its incipient stages, and there is no timeline of when Chrome will transition from using the OS root store to its own internal list.

For now, Google maker has published rules for Certificate Authorities (CAs), the companies that issue TLS certificates for websites.

The browser maker is urging CAs to read the rules and apply to be included in its new Chrome Root Program whitelist to ensure a seamless transition for Chrome users when the time comes.

With a market share of 60% to 65%, Chrome is the gateway for most users to the internet, and most CAs will most likely have their affairs in order when the transition moment comes.

Similar to Firefox

This approach of packing the root store inside a browser rather than use the one provided by the underlying OS isn't new and is what Mozilla has been doing for Firefox since its launch.

Reasons to do so are many, starting with the ability for Chrome's security team to intervene and ban misbehaving CAs faster, and Google's desire to provide a consistent experience and common implementation across all platforms.

However, the change was not met with open arms. One place where this move is expected to cause friction is in enterprise environments, where some companies like to keep an eye on what certificates are allowed in the root store of their devices.

"This will generate more work for system administrators," Bogdan Popovici, an IT administrator at a large software company in Iasi, Romania, told ZDNet. "We now have another root store list to manage, new group policies to set up, and a new changelog to follow. We're already busy as it is."

"This is not an improvement! I need another root store to maintain like I need a hole in my head," said Reddit user Alan Shutko. "It just makes it more difficult for companies that have their own CA to keep everything in sync."