Google Chrome to Distrust Chunghwa Telecom and Netlock Certificates from August 2025

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...
Chrome Distrust Chunghwa and Netlock TLS Certificates

Google Chrome announced that it would distrust new TLS/SSL certificates from two certificate authorities (CAs): Chunghwa Telecom and Netlock, effective August 1, 2025, with the release of Chrome version 139.

Apart from releasing new TLS/SSL standards, the Chrome announcement represents another significant step in Google’s campaign to demand accountability for CAs and create a more robust internet trust framework.

After months of monitoring and assessing the involvement of the aforementioned CAs, Google cited continual failures to comply with their internal policies, failure to have transparency with the Chrome team, and failure to address previous security breaches as a rationale for taking this action.

Websites using certificates from the aforementioned CAs after Chrome’s deadline will result in full-page security warnings in Chrome, e.g., “Your connection is not private,” etc.

This recent announcement continues the pattern of stricter enforcement of the Google Chrome Root Program by determining the removal of CAs that do not meet acceptable standards in the industry or that fail to instill the necessary trust from users.

Why Is Google Distrusting Chunghwa Telecom and Netlock?

Google’s distrust in Chunghwa Telecom and Netlock resulted from the year-long investigation, which revealed a pattern of repeated violations of compliance obligations, failure to comply with commitments to improve, and weak responses to publicly documented security incidents.

Ultimately, Google’s Chrome Root Program’s findings were that neither CA could be trusted going forward to protect secure web communications, and as public trust deteriorated in these issuers, Google had no choice but to remove them from the trusted root store proactively.

What Happens After August 1, 2025?

Starting with Chrome 139, any website that presents a certificate issued by Chunghwa Telecom or Netlock and has a Signed Certificate Timestamp (SCT) after July 31, 2025, will cause Chrome to render a full-page warning indicating the connection is insecure.

Technically, it could be clicked through; however, doing so has serious implications for security and erodes trust with your users. The experience will be similar to Chrome’s previous distrust actions—disruptive and trust-eroding for unsuspecting website operators.

What Certificates Will Be Distrusted?

Chrome will distrust any certificate (if dated after July 31, 2025) issued by Chunghwa Telecom’s ePKI Root Certification Authority and HiPKI Root CA – G1 and Netlock’s Arany (Gold Class) Root CA.

In Chrome 139 and greater, Chrome will default to distrust these specific certificates. Certificates that were issued before this date will still be trusted, in the interim, but will need to be migrated away from in the long term.

What Chrome Users Will See?

Users who choose to visit a website that is affected will see a full-page security interstitial warning that says the connection is not secure. The message will be similar to the messages when a site’s certificate has expired or is misconfigured.

Users can technically override this message, but they are most likely going to just stop visiting the site, resulting in a loss of traffic and trust for the site.

What Website Operators Must Do?

Administrators and developers utilizing Chunghwa Telecom or Netlock certificates must immediately examine their current installation.

Migrate to a Chrome trusted Certificate Authority, such as DigiCert, Sectigo, or Comodo, by July 31, 2025.

Merely reissuing a certificate from these soon-to-be untrusted CAs will only push the support for an additional short period. Chrome also has developer tools and command-line flags to check browser compatibility ahead of the block.

What Happened with Entrust?

This is not the first time Google has taken decisive action against certificate authorities. In 2024, Chrome also distrusted Entrust after discovering a lack of compliance, trustworthiness, and transparency, as well as maintaining security.

The distrust occurred from Chrome version 120, and again gave website operators only a short window to migrate CAs. This was important because it set a precedent.

When earning trust in the certificate ecosystem, this means the trust is continuous and should not be assumed depending on reputation.

Why This Matters?

Certificate Authorities are essential to ensuring internet security, HTTPS encryption, and secure data interchange. When trust is broken with a CA, that loss of trust can have massive downstream effects and affect millions of websites and users.

Google removing Chunghwa Telecom and Netlock is further tightening the practice for a more secure web space, as cyber threats are becoming more sophisticated and demanding higher levels of assurance from PKI providers.

Conclusion

If your website is using a Chunghwa Telecom or Netlock certificate, now is the time to make that switch to a trusted certificate provider before Chrome’s distrust takes effect in August.

Certera is a modern Certificate Authority (CA) and SSL Provider with a variety of SSL/TLS Certificates from CAs around the world, including Sectigo and DigiCert. 

Don’t wait until users are starting to see security warnings on your website. Act now, visit Certera.com, and protect your website today with a trusted SSL certificate from a reputable CA!

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.