Google says it will no longer trust root CA certificates signed by Taiwan’s Chunghwa Telecom and Hungary’s Netlock – a decision that follows 2024’s move to wash its hands of certificates issued by Germany’s Entrust. 

Its Chrome browser will throw up warnings for sites and applications using certificates signed by the two “on approximately August 1, 2025, affecting certificates issued at that point or later,” Google said in a June 5 blog. 

Google said: “Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

"Beginning in Chrome 127, enterprises can override Chrome Root Store constraints like those described in this blog post by installing the corresponding root CA certificate as a locally-trusted root on the platform Chrome is running (e.g., installed in the Microsoft Certificate Store as a Trusted Root CA)." – Google

The move comes after Chunghwa Telecom “misissued” 12,911 certificates in 2024 and then fought back against CA/Browser Forum members’ requests to revoke them, controversially saying that doing so by an industry-agreed deadline could crash air traffic control, paralyse healthcare facilities and bring down parts of the national grid.

See also: Revoking bad certificates could have apocalyptic consequences, CA warns

Nick France, CTO of CA Sectigo told The Stack at the time that for a CA, revoking a certificate is "actually incredibly easy as a technical process.

“We just basically click a button, and that gets the certificate serial number is then placed on a revocation. The problem lies with the customer who has this certificate, which they need to replace. 

“They'll need to go through the whole process to generate a new key and request a certificate, submit that to their CA, receive that certificate, and then go ahead and install it,” he explained: “That process can be done in seconds if you're automated and if you have the right tools in place. 

“But what we're seeing are customers of a CA finding it difficult to install a new one, whether they had it installed on a machine that had to have someone physically connect to it, or because of a security issue or an old system surprising that can’t be automated,” France added at the time. 

The link has been copied!