Google has established an independent Root Certificate Authority so it can implement HTTPS across all of its services in a more efficient and expedient way.
Google’s new Trust Services entity will manage and deploy digital certificates for all Google and Alphabet services, the company said Friday in a blog.
The new unit will complement Google Internet Authority G2 (GIAG2), the third-party subordinate Certificate Authority that Google has been relying on so far for its Secure Sockets Layer/Transport Layer Security (SSL/TSL) certificate needs.
Because it can take a relatively long time to embed Root Certificates into products and their associated versions, Google also has purchased GlobalSign R2 and R4, two currently operating Root Certificate Authorities.
“These Root Certificates will enable us to begin independent certificate issuance sooner rather than later,” said Ryan Hurst, a member of Google’s security and privacy engineering group in the blog post. For the time being, at least, Google will keep the GIAG2 subordinate certificate authority in operation, he added.
Websites and services use digital certificates to authenticate their identities to browsers. Anyone can generate these certificates, but because these certificates are essential for online trust they have to be signed by a trusted certificate authority in order to be recognized as bonafide.
Root certificate authorities sit on top of the public key certificate trust chain and are responsible for validating the authenticity of digital certificates issued by subordinate authorities.
Google Trust Services will operate a total of six Root Certificates; GTS Root 1 to GTS Root 4 and the Global Sign GS R2 and GS R4 roots that Google just acquired. Again, with a view to speeding up the process of implementing a Root Certificate Authority, Google also has secured the option of cross signing its certificates using Global Sign’s R3 Root and also a Root from GeoTrust. Most of Google’s Root Certificates are valid for between 15 and 20 years except for two, which are scheduled to expire within the next five years.
Developers that are building products that will connect to a Google website or service should include Google’s Roots in their list of trusted roots, Hurst said. Because Google may operate subordinate Certificate Authorities under third-party roots, developers should consider including a wide set of trustworthy roots, he added.
Google has been focused for some time on implementing the HTTPS protocol across all its services in an effort to secure them better against common attacks. Websites that use HTTPS encrypt all communications between the browser and server, making the communications much harder to intercept and to compromise.
The subordinate GIAG2 certificate authority that Google has relied on for so long has played a critical role in enabling the shift to HTTPS.
By establishing an independent Root Certificate Authority, Google will no longer have to rely on intermediaries to issue SSL and TSL certificates to authenticate its sites and services. The company will have complete control over the entire certificate issuance, management and revocation process and be in a better position to spot illegal or improperly issued certificates for any of its domains.